--Seth Goodman <sethg(_at_)GoodmanAssociates(_dot_)com> wrote:
Sorry, I got the context completely wrong. If what is being proposed is
to just check the HELO name against the SPF record for that name, if it
exists, and fail only if there is a mismatch with the SPF record, I have
no problem with that. It will catch some obvious forgeries, at least in
the short term. As long as it doesn't fail for broken names like
"localhost", then I guess there is no downside to it.
You are correct... that is the proposal on the table anyway. SPF already
does this in the case of MAIL FROM: <> but you would only risk losing
bounces in that case. The proposal was to allow HELO to FAIL if obviously
forged, and keep going with MAIL FROM if pass/unknown/softfail, and the
HELO checking would be optional anyway.
Unfortunately there is no way to protect against HELO localhost.localdomain
MAIL FROM: <> - that is out of the range of SPF. If people want to block
bounces (or all mail) from servers with clearly nonexistent HELO names,
that's their own business. (SPF also doesn't FAIL on nonexistent MAIL FROM
domains either, but it's assumed that your mailer does that anyway.)
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>