spf-discuss
[Top] [All Lists]

RE: SPF HELO checking

2004-12-13 07:26:26
On Sat, 2004-12-11 at 02:31, David wrote:
We don't *need* to use SPF to authenticate HELO.  Having HELO be a FQN
that
resolves to the IP of the MTA authenticates the MTA equally as well 
as an SPF record - as is recommended practice.

nowadays most mta's fail this condition

Another random comment:
 o  Check that the HELO string resolves to the incoming IP.  Reject
    if this is not true *and* the HELO string has an SPF record.


I think this is an interesting path worth looking into.  Simply checking the
strings A RR seems to get me everything I would get by doing a SPF lookup on
the HELO/EHLO domain.  The A lookup is also faster and cheaper in terms of
DNS lookups.

The answers I've seen so far boil down to:
1.  "This would fail most situations now".
2.  "Senders like hotmail would have to change".

These reasons do not seem significant enough to pass up on a good idea (if
it is a good idea).  Many things would fail in many situations now, such has
SPF checking on the HELO/EHLO or SPF with forwarding.  No matter what is
settled on some people are going to have to change.  Why not focus on what
is best or ideal and move toward a goal.  We, like many ISPs, are more than
willing to change to move toward the best solution.  It just seems easier
for your average sys. admin. to implement a simple A lookup verification
than a SPF lookup verification and from where I'm standing (with my simple
understanding), it seems to be a better option than using SPF for the
HELO/EHLO check.

I wouldn't mind hearing from the SPF experts as to why extending SPF and
making the algorithm more complicated buys us anything over a simple A
record check?

Thanks,
-Brian.
  


Brian Barrios
703.265.7456 / IM: BrianAntiSpam
Antispam/Postmaster Group - America Online, Inc.

 


But how often do they fail (for the non-forgery cases), when the HELO
string has an SPF record?

Does anyone know?

If it's impractical to say:

 o  Check that the HELO string resolves to the incoming IP and reject
    if this is not true,

Would it be practical to say:

 o  Check that the HELO string resolves to the incoming IP.  Reject
    if this is not true *and* the HELO string has an SPF record.

That would be an ideal solution!

-- 
Mark Shewmaker
mark(_at_)primefactor(_dot_)com

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper!  http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily 
deactivate your subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com



<Prev in Thread] Current Thread [Next in Thread>