[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of David
The HELO domain should be checked if the return-path is empty.
In most cases the HELO domain is different to the
return-path domain,
so a different SPF record is used.
in most cases real servers use a hostname in the helo as
required by rfc, the problem is that many viruses try to use
a (forged) domain name in the helo. All those viruses could
be stopped by just a single dns lookup, but the problem is
that the spf record for the domain holds the spf policy for
the domain, not for the helo.
OK the outgoing mail server is mail.example.com, the domain example.com
HELO mail.example.com
201 OK
FROM me(_at_)example(_dot_)com
201 OK
I do not need scope inside the SPF record, they are going to be different
anyway.
The only use for scope would be if it was somehow important to stop the
machine example.com sending out mail purporting to come from
me(_at_)mail(_dot_)example(_dot_)com(_dot_)
I agree that there might be cases where that mattered but no way would I
ever take notice of the scope parameter. The chance of it being
misconfigured is greater than the chance that there was an intentional use
that was correct.
Engineers are results oriented, they are going to do what makes the system
work for them.
Phill