I agree that Greg's workaround will work, but at the expense of extra dns
request as a result of redirect and this expense applies equally both
to those doing SPF verification on HELO and MAIL FROM (and it also
relies on undocumented technique of considering no local part to be
the same as postmaster)
Since we know that hostnames used in HELO names are usually unique and
not used for MAIL-FROM, it would be better to separate those and so
we'd have "-all" for MFROM scope and then specific HELO SPF record
and in case when they are used together (same name for both mail-from
and in HELO) there would be separate record which is available immedialy
without extra dns lookup.
I beleive we're still at the point where only very few actually published
SPF records for HELO as opposed to SPF record for MAIL-FROM, so it would
not be too late to actually add scope-specific info and do it right from
the start.
On Fri, 10 Dec 2004, Greg Connor wrote:
On Fri, 10 Dec 2004, william(at)elan.net wrote:
one step further ... I want my domain (ols.es) to have an spf record
like "mx ~all", but i don't want anybody to use ols.es in the hello,
including me (as i always use full hostnames in my hello). How can
I specify this policy ??
Right now you can not, I've made this point on this list before too.
Not exactly true, I posted a suggested workaround for this about week ago.
(Sat Dec 04 9:17) Basically the idea is that when you are checking HELO,
there is no "localpart" (i.e. username) so most implementations use the
string "postmaster" when asked for localpart %{l}.
So the following recipe places a -all restriction on mail from
postmaster(_at_)example(_dot_)com and ?all for all other mail from
example.com, which has
the practical effect of also limiting HELO use of that name.
nekodojo.org. IN TXT "v=spf1 mx ptr redirect=%{l}._spf.nekodojo.org"
postmaster._spf.nekodojo.org. IN TXT "v=spf1 -all"
*._spf.nekodojo.org. IN TXT "v=spf1 ?all"
The part before the redirect= should be whatever your SPF record normally has
in it (a, mx, ptr, ip4, etc). If nothing flags a result by the time it gets
to redirect= it will refuse for postmaster (and helo) and be unknown for
everyone else. (You can also use this to give a specific policy for certain
senders)
Thanks
gregc
--
Greg Connor
gconnor(_at_)nekodojo(_dot_)org
Everyone says that having power is a great responsibility. This is a lot
of bunk. Responsibility is when someone can blame you if something goes
wrong. When you have power you are surrounded by people whose job it is
to take the blame for your mistakes. If they're smart, that is.
-- Cerebus, "On Governing"
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net