On Fri, 10 Dec 2004, Commerco WebMaster wrote:
I too like the idea of separating the HELO/EHLO processing from SPF,
perhaps because I am still not completely sure why helo checking is being
done. Sorry to be clueless.
Do you mean "why should we authenticate the MTA"? Or "why use SPF to
authenticate the MTA"? To answer the former, we want to authenticate
the MTA so we know who is responsible for a malicious or misconfigured
MTA. This is *not* necessarily the same as the MAIL FROM domain.
For instance, example.com might outsource their email to mailisp.com.
Misconfigured MTAs are the direct responsiblity of mailisp.com, and
only indirectly the responsibility of example.com.
To answer the second question. We don't *need* to use SPF to
authenticate HELO. Having HELO be a FQN that resolves to the IP of the MTA
authenticates the MTA equally as well as an SPF record - as is recommended
practice. In fact, SPF records for HELO are invariably "v=spf1 a -all".
For instance, if an MTA at mailisp.com has a HELO name of mx123.mailisp.com
which resolves through DNS to its actual IP address - that tells you
everything SPF could. If MTAs at mailisp.com have a HELO name of
"mailisp.com", that is just dumb - but that is the practice people want to
accomodate by provide special SPF records for HELO. Actually, publishing
A records for every MTA reporting 'mailisp.com' would still accomplish
the same thing (but make providing a web presence at that name problematic).
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.