David wrote:
ols.es. IN TXT "v=spf1 mx ~all" -> for mail from:
ols.es. In TXT "v=hello -all" -> to prevent hello forgery
a.lon.olsns.net IN TXT "v=hello a -all" -> for my hello's
a.mad.olsns.net IN TXT "v=hello a -all" -> for my hello's
Makes sense, in the spirit of spf2.0/mfrom vs. spf2.0/hello.
But for v=spf1 we don't have it, and the council has already
decided to restore v=spf1 HELO as is in schlitt-01.
Your idea could be used to relaunch spf2.0 starting with a
new spf2.0/hello. We'd probably limit SPF for this purpose,
e.g. allow only PASS, anything else is a HELOFAIL.
The only way to force the same idea into v=spf1 would be an
op=helo option, not very pretty.
Generally v=spf1 could coexist with other HELO-schemes like
your v=hello, sp2.0/hello, or CSV:
If the other scheme says FAIL, you don't need v=spf1 in this
SMTP session, reject all mails. If the other scheme says
PASS, you don't need v=spf1 for a HELO check. You then only
use v=spf1 for normal MAil FROM tests incl. the special case
postmaster(_at_)HELO for MAIL FROM:<>.
Therefore I don't worry about the future transition period from
pure v=spf1 to v=spf1 plus separate HELO-schemes. If a sender
offers only v=spf1 use it.
Bye, Frank