--David <david(_at_)ols(_dot_)es> wrote:
i really prefer to split things in simple and useful parts
than trying to overload spf, if spf cheks the envelope sender
let do it do it's job and don't overload and complicate it's
syntax, it's better to have a totally separated record for
helo cheking.
David-
Did you get my two or three previous posts on this thread? You have
replied to others but didn't reply to me so I wanted to make sure you saw
what I wrote.
The quick summary version is-
1. HELO checking is already a part of all SPF implementations we are aware
of. It has been part of the spec for over a year. The discussion is not
whether to add it, but how do we live with it. We can do them separately
in the next version (Unified SPF).
2. Most folks can get by with one record for both. Most folks don't use
the same name for each, but they get forged HELO transactions all the time.
If they publish using -all they are protected anyway.
3. For the case where you really need a different policy for both, there is
a workaround: specify a -all policy only when the username is "postmaster"
and a ~all for all other usernames.
Footnote: By the way, "soft fail" ~all is actually quite a bit newer than
HELO checking :) So your particular problem wasn't really "caused" by the
introduction of HELO checking, it was caused by this new kind of failure
called "soft fail". If everyone could just publish -all then HELO checking
would work as originally intended.
Thanks for taking the time to read.
gregc
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>