So, I would highly recommend against converting softfail into fail.
Doing so will cause publishers of SPF records to be reluctant to use
softfail. If they could confidently state that the message was a
forgery, they would have used fail, not softfail.
--David <david(_at_)ols(_dot_)es> wrote:
that's clear when you test the envelope sender. Now let's supose that
you want to spf-test a HELO argument and you get 'softfail', it's
almost sure that the domain owner has used softfail to avoid breaking
forwarding. In the other hand it has nosense to allow any unknow host
to use your domain in the HELO, but as you are not able to specify a
softfail for envelope sender tests and a fail for helo's ,maybe a
softfail could be safely 'converted' to a fail when testing helo's.
I understand the reasons why you might want to specify a tighter, more
restrictive policy on HELO than on MAIL FROM with regard to your domain.
Here's another example: what if your own mail servers HELO with
mail1.example.com and mail2.example.com, and NO servers should ever HELO
with just "example.com". It's overloading the "example.com" SPF record to
use it for both.
However, I had made the suggestion NOT to add more complexity to the SPF
record, to NOT make HELO handling different from MAIL FROM handling, for
two reasons. First, because HELO is an add-on option, it is not really the
true reason for SPF to be created, it's a fallback mode designed for MAIL
FROM: <> that MAY have some usefulness for other mail, but I don't think
it's worth confusing people more by adding stuff to the language.
Second, I think there are ways to get around the issue by using macros.
Here is an example. Let's say my SPF record is:
example.com. IN TXT "v=spf1 ptr a mx ~all"
That gives a softfail for everything not from my designated sources, so
nothing ever completely fails. I could alter this slightly to add an
exists lookup and an extra A record:
example.com. IN TXT "v=spf1 ptr a mx
-exists:%{l}.restricted.example.com ~all"
postmaster.restricted.example.com. IN A 127.0.0.2
This is basically saying "Just about anybody *might* send mail from
anywhere, but not as postmaster. If postmaster(_at_)example(_dot_)com is ever used
for outgoing mail, it should only be accepted based on "ptr a mx"
And this would block HELO usage as well (since HELO checking uses
"postmaster" as the local part).
Now, granted, this is not an elegant solution, but the times when you would
want to restrict HELO more tightly than MAIL FROM are probably rare enough,
that a macro-based solution is probably better than altering the SPF
language, or altering the way softfail works, at this point.
feedback appreciated :)
gregc
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>