> Personally, I am getting more confused as this discussion progresses.
>
>
> The machine name for our Sendmail server is Server1.yellowhead.com, and
> after discovering that it was not using this fully qualified name on the
> outbound HELO, it was corrected. However, this is not the name of any of
> the domains that it acts as mail server for. It is not possible to use
the
> correct name for each domain on the HELO, because all but one of these
> domains are pseudo names. The only record you will find for
> Server1.yellowhead.com is an "A" record. There are no "MX" records or
"TXT"
> records.
>
> What is the point of checking anything on the fully qualified domain
name?
> The Host name (Server1) has no meaning: only the domain name
> (yellowhead.com) portion will produce any meaningfull results as far as
SPF
> is concerned.
the problem is that you can't tell where in the FQDN a domain actually stops
and becomes their ISP or a TLD which is why to SPF the "hostname" does
matter.
HELO au01.mta.mycompany.myisp.au.com
where in this fqdn do i stop checking for SPF records?
obvious stuff;
1. every mail domain requires an SPF record for it's domain
2. every MTA that sends mail requires an SPF record for the HELO value it
uses
3. with an RFC2821.FROM value an MTA will lookup the SPF record for the
RFC2821.FROMs domain and check if the connecting IP address is allowed to
send for that domain.
4. in the event of a "null" RFC2821.FROM (an NDR or spam) an MTA *may*
lookup the SPF record for the RFC2821.HELO and check if the connecting IP
address is allowed to send for that domain.
5. some implementations *will* check HELO before or after checking FROM
(regardless of FROMs value)
in most cases points 1 and 2 are identical but there are some cases where
they are not. yours is one of them.
MTA is SERVER1.YELLOWHEAD.COM
ip address is 111.222.333.444, it has no MX records, it has an A record
so, to allow mail (Point 1) for YELLOWHEAD.COM to be sent via
SERVER1.YELLOWHEAD.COM we have;
(YELLOWHEAD.COM) v=spf1 a:SERVER1.YELLOWHEAD.COM/0 ?all
in other words any mail purporting to come from the domain YELLOWHEAD.COM
must come from the single ip address that was resolved from the dns A record
for SERVER1.YELLOWHEAD.COM. (the /CIDR needs to restrict it to a single
address and i was never any good at working those out so /0 could be the
wrong value for that purpose). If mail comes from any other ip address it
will get a NEUTRAL result (unless you really want to use -all here to FAIL
them instead - depends on how sure you are that mail will never come from
anywhere else).
and that takes care of your "normal" mail messages and implementations where
they don't check HELO.
but, if they do check HELO or you need to send an NDR (a bounce message with
a null FROM) then you need to show via SPF that SERVER1.YELLOWHEAD.COM is
allowed to send mail on behalf of the HELO it uses (Point 2) so we have;
(SERVER1.YELLOWHEAD.COM) v=spf1 a:SERVER1.YELLOWHEAD.COM/0 -all
in other words any mail purporting to come from the domain
SERVER1.YELLOWHEAD.COM must come from the single ip address that was
resolved from the dns A record for SERVER1.YELLOWHEAD.COM. (again check the
/CIDR). If mail comes from any other ip address then it gets a FAIL result
because we know that it will only ever come this server.
in your case the *only* time a message will come from the domain
SERVER1.YELLOWHEAD.COM will be the NDR's from any of the hosted mail
domains.
and that takes care of your "other" mail messages and SPF implentations
where they do check HELO.
why is it good? HELO can be forged, FROM can be forged, if you don't check
the IP address against the HELO then null FROMs with forged HELOs can be
abused to get around SPF implementations where null FROMs are "ignored".
why is it bad? more dns lookups (but hopefully those get cached by an
internal dns server and the spf records have long timeouts).
What most people keep forgetting is that SPF (v1) is NOT a spam
filter/classifier, all it does is verify that an IP address is allowed to
send mail on behalf of the domain given in FROM and/or HELO.
you can still get spam from these people just that now you can prove it's
really them that spammed you. by not checking HELO means you still can't be
sure which domain really sent the message.
ps. sorry about the length of the post.
_________________________________________________________________
Smart Saving with ING Direct ? earn 5.25% p.a. variable rate:
http://ad.au.doubleclick.net/clk;7249209;8842331;n?http://www.ingdirect.com.au/burst6offer.asp?id=8