Now I suspect that for many domains they do not want to have global domain
policy like that and may want to specify it only for certain "from"
addresses, so it might be appropriate in some way to allow this modifier
to use macro and redirect to some other record, but I have not come up
with good syntax for that yet (though I'm sure the people who are more
familiar with SPF macros can suggest something...).
Here is the syntax I could come up with in last 30 minutes (requires new
macros, specific for this type of header equivalency checking):
equivalent-headers = "eh" "=" eh_item
eh_item = eh_operand [headers-list] [additional_eh]
additional_eh = "," eh_item
eh_operand = "d" / "l" / "a" / "n" / eh_redirect
eh_redirect = "r" "?" macro-string
headers-list = "(" header-name [additional-header] ")"
additional-header = "," header-name [additional-header]
header-name = name
The operands mean:
d - match domain portion of header's email address to domain part of mail-from
l - match full email address of mail-from to full address in header
n - never matches (means the email can't have this header)
a - always matches, this is default and basicly means any header value
matches
With 3 new macros:
%{hn} - header name (i.e. "sender" or "from")
%{hl} - header's domain full address with local part (i.e. like %{l})
%{hd} - header's domain without local part (i.e. like %{d})
When header-list is not present, its assumed to be (sender,from).
Note that if match is found for first header in list, additional
headers are not matched and if none matches that means the policy
is violated and email may possibly be a forgery. Possibiility also
exist that if we allow multiple "eh" modifiers then separate "eh"
modifiers could be used specify required checking for some other header.
And some examples:
1. v=spf1 ip4:192.168.0.0/24 eh=d -all
Means that domain portion of email addreses in "From:" or "Sender:"
should match what is in mail-from (i.e. Returned-Path header).
This would be most common setting.
2. v=spf1 ip4:192.168.0.0/24 eh=l(sender),d(from)
Means if "Sender:" header is present, attempt to match its full
email address to mail-from and if its not present attempt to
match domain portion of "From:" to mail-from
3. example.com. IN SPF "v=spf1 ip4:192.168.0.0/24 eh=r?%{hd}.%{hn}._spf -all"
example.com.sender._spf.example.com. IN SPF "v=spf1 eh=a ?all"
example.net.sender._spf.example.com. IN SPF "v=spf1 eh=a ?all"
example.org.sender._spf.example.com. IN SPF "v=spf1 eh=a ?all"
*.sender._spf IN SPF "v=spf1 eh=n ?all"
The above means that for mail-from having email address at @example.com
the "Sender:" header address if present should have domain portion of
either example.com, example.net or example.org.
---
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net