spf-discuss
[Top] [All Lists]

Re: Latest proposal re HELO checking: make HELO tests optional

2004-03-06 10:50:44
In 
<200403061617(_dot_)24532(_dot_)dan(_at_)boresjo(_dot_)demon(_dot_)co(_dot_)uk> 
Dan Boresjo <dan(_at_)boresjo(_dot_)demon(_dot_)co(_dot_)uk> writes:

On Saturday 06 March 2004 15:39, Meng Weng Wong wrote:
Before, an SMTP+SPF receiver would only look at the HELO argument if the
return-path was blank.  Now, SMTP+SPF receivers MAY look at the HELO
argument all the time, and use it as the source of the
<responsible-sender>; if the HELO check returns a FAIL, the entire SPF
result is a FAIL and the SMTP receiver does not have to check the
return-path.  Otherwise, use the MAIL FROM return-path as the source of
the <responsible-sender> and proceed as usual.

Can this make SRS redundant?


No, SRS (or something like it) is still needed.  The only thing that
has changed is that the SPF spec now says that you may check the HELO
string all the time, rather than just when a MAIL FROM:<> is given.


It is my understanding that the DRIP and DMP designated sender
proposals allow for the HELO string to give an automatic pass to the
message in certain cases.  This has never been true with SPF and is
not true with this change.  This doesn't mean that the local policy of
the MTA owner can't give these messages a pass and, in fact, such
local policies are likely to be a good idea.  SPF, however, doesn't
speak to such an issue.

See http://dumbo.pobox.com/~mengwong/tmp/comparisons/familytree.png
for a discussion on the differences between the various designated
sender proposals.


-wayne