Hector Santos wrote:
Straight from the SPF Draft:
2.2.1 Terms
This section defines important terms. They can be thought of as
variables in an SPF client. It is crucial that they be interpreted
correctly.
It is RECOMMENDED that the <responsible-sender> be drawn from the
envelope using this algorithm:
The <responsible-sender> comes from the domain name of the "MAIL
FROM" envelope sender. When the envelope sender has no domain, a
client MUST use the HELO domain instead. If the HELO argument does
not provide an FQDN, SPF processing terminates with "unknown".
This does not say anything about checking if the HELO response is forged
or spoofed.
This says: SPF checks the domain part of the envelope sender. When the
envelope sender is "<>", there is no domain part, so SPF uses the HELO
given as the domain part, because it has to check something, and this is
the closest we have in this case to the envelope sender's domain. SPF
has to look up the envelope sender in DNS, so if the HELO must be used
and cannot be looked up for some reason (like it's not a FQDN), SPF will
return "unknown".
8.3 Conformance with regard to sending e-mail systems
To be considered SPF-conformant, an SMTP sending host MUST resolve a
"pass" for all the SPF-conformant domains for which it sends mail.
When an SMTP host sends a message delivery status notification
message, it MAY use the null envelope sender:
MAIL FROM: <>
The sender host's HELO/EHLO command string MUST include the Fully
Qualified Domain Name of the sender host, and an SPF record MUST
exist for that FQDN for the host to be considered SPF-conformant.
For example: in a transaction with
HELO mx01.example.com
MAIL FROM: <>
an SMTP+SPF receiver will perform an SPF query of the form
mx01.example.com TXT
and expect a result such as
"v=spf1 ptr:example.com -all"
or
"v=spf1 a -all"
This says the same thing again, but worded differently with slightly
more detail and example.
I do not read any of this saying "SPF checks to see if the connecting IP
address matches the "A" record returned by a lookup of the FQDN of the
HELO response". It says "SPF uses the TXT record returned by the HELO
response instead of that from the domain name from the envelope sender
in the case of the return address "<>" which has no domain name".
However, I do agree with your main argument somewhat (or my
interpretation of it):
Since the "main point" of SPF (in my opinion) is to prevent forgeries of
email addresses, maybe it SHOULD also address forgeries of the HELO
domain in the case where the envelope sender is <>. In the case of the
"<>" address, a forged HELO is very similar to a forged "regular"
envelope sender.
On the other hand, I suppose one could argue that since "<>" is not a
real person but exclusively an autoresponder, no one is hurt by
mis-checking or even not checking "<>" for forgery -- no one receives
bounces to the "<>" address, so this is not "joe-jobbing" and SPF has
done its job.
--
Jim Ramsay
"Me fail English? That's unpossible!"