spf-discuss
[Top] [All Lists]

Re: SPF HELO checking

2004-12-10 17:07:02
On Fri, Dec 10, 2004 at 08:30:46PM +0100, David wrote:
one step further ... I want my domain (ols.es) to have an spf record
like "mx ~all", but i don't want anybody to use ols.es in the hello,
including me (as i always use full hostnames in my hello). How can
I specify this policy ??

On Sat, 11 Dec 2004, Alex van den Bogaerdt wrote:
These also happen to be your MX records, and your SPF policy
is "mx ~all".

Once the "~all" is turned into "-all", only the MX records
would be able to use ols.es as HELO string.  The person controlling
those boxes will make sure this doesn't happen so I wonder what
the problem is?  (no, that is not a rhetoric question!)


Alex I think you are right.  Probably the issue is that David wants a soft 
fail for most SPF checks, but a true failure for unauthorized uses of his 
domain in HELO.

Note that most legit mail will not HELO as the same domain that most of the 
users use for email.  Usually the HELO check will be done against a hostname, 
and the SPF check will be done against the email domain (probably not the same 
as the MX server names)

BUT the problem is all the viruses and spam sending to xyz.com and using HELO 
xyz.com to mislead you.  If you own xyz.com you should certainly not let other 
servers claim HELO xyz.com and get away with it.  This is why people often ask 
for a stronger HELO policy than their current SPF policy for that domain.  The 
answer for those users is to use the postmaster trick, or just wait until they 
are able to publish -all and then the problem will resolve itself.

--
Greg Connor
gconnor(_at_)nekodojo(_dot_)org

Everyone says that having power is a great responsibility.  This is a lot
of bunk.  Responsibility is when someone can blame you if something goes
wrong.  When you have power you are surrounded by people whose job it is
to take the blame for your mistakes.  If they're smart, that is. 
                -- Cerebus, "On Governing"


<Prev in Thread] Current Thread [Next in Thread>