Hector Santos wrote:
Reject if .santronics.com in .%CDN% and %CIP% != 208.247.131.9
Reject if .winserver.com in .%CDN% and %CIP% != 208.247.131.9
Reject if .isdg.net in .%CDN% and %CIP% != 208.247.131.9
Reject if .catinthebox.net in .%CDN% and %CIP% != 208.247.131.9
Yes, that makes sense. In essence "whatever you say who you
are in your HELO, I'm certain that you are not me, because I'm
not talking to myself (like any MTA since the bronze age)".
It's the best you can extract from RfC mumble-82-mumble, in a
very strict interpretation. If you want more (not covered by
these RfCs) you end up with hardcoding TLDs to catch weird
names like OEMcomputer without hitting the real tv, some rules
for HELO localhost and HELO [127.0.0.1], and so on.
So that's fine, but not part of SPF, you certainly don't need
a sender policy to implement RfC 82x. As Meng said somewhere
in this thread, you _can_ also check the HELO against a v=spf1
sender policy, and it's even required for an empty MAIL FROM.
But otherwise (MAIL FROM not empty) it was only optional, and I
have no idea what all MUAs of the world do while talking to
their MSAs resp. their smart hosts. My MUA says "HELO xyzzy",
which is plain nonsense, but no harm done.
But let's assume that it says "HELO xyzzy.claranet.de" while
talking to relay.claranet.de, then one thing is certain, the IP
of xyzzy.claranet.de is not my actual IP, and therefore the SPF
sender policy for xyzzy.claranet.de does not allow me to say
"HELO xyzzy.claranet.de".
Therefore it's okay that this check is "only" optional, you
don't want it on MSAs or smart hosts. You only want it on an
MX while talking to strangers.
Bye, Frank