spf-discuss
[Top] [All Lists]

RE: SPF HELO checking

2004-12-10 13:25:27
The SPF docs should add a section to do HELO verification purely for reasons
of practical politics. The IETF is about to charter a group to work on CSV
which is basically a different syntax for the SPF record to support a
completely different form of checking.

As one prominent Washington technology lobbyist put it to me, 'I read the
report from the FTC meeting, I was really disappointed that the technical
community could not get it together and present a united front'. From a
strictly tactical point of view we need to add HELO checking as one of the
interpretations of SPF records. That way CSV is a subset of SPF
functionality without any deployed base, it is for all intents and purposes
dead as a viable technical standard.


On the issue of what people shoulf be 'allowed' to do with headers, forget
it. The only way that anyone can gain any leverage in that respect is to
file a patent.

Think through for a moment what you as an email SENDER are trying to achieve
with your record. You are A)attempting to increase the probability that your
mail gets through and B) attempting to decrease the probability that someone
can impersonate your email address.

The HELO approach does nothing of use on B, there is no point impersonating
an address that is never seen but with accreditation it does provide a means
to address A.

Exactly why would you care about the method someone used to decide to accept
your email if it worked?


When it comes to failure modes of HELO consider the motive for someone to
spoof, what would be the reward? We have our three possible responses, PASS,
FAIL, INDETERMINATE.

HELO example.com

PASS - If it works then that's ok.
FAIL - Why would anyone fake this? Most likely a misconfiguration
INTEDTERMINATE - NO spf record for example.com


Recipients should probably treat FAIL and INDETERMINATE the same way, the
email just goes through the spam filter as normal. The only special
treatment should be on PASS depending on the accreditation linked, possibly
getting a complete bypass of the filter but otherwise getting a bonus to add
to the filter score.

The only special processing for FAIL would probably be some informative 'hey
you have a misconfig' report.


<Prev in Thread] Current Thread [Next in Thread>