Mark Shewmaker wrote:
If it's impractical to say:
o Check that the HELO string resolves to the incoming IP and reject
if this is not true,
Would it be practical to say:
o Check that the HELO string resolves to the incoming IP. Reject
if this is not true *and* the HELO string has an SPF record.
Both would reject most mail from hotmail.com.
I suggest:
If the return-path is not empty, check the SPF record for the MAIL FROM
domain and do not check the HELO string.
Otherwise, if the HELO string is not a valid host name with at least one
dot, accept the mail.
Otherwise, if there is an SPF record, check the SPF record.
Otherwise, use the SPF record "v=spf1 a ~all" or "v=spf1 a -all".
Roger