In <1d2(_dot_)2d8aaab5(_dot_)2eef0094(_at_)aol(_dot_)com> "Brian Barrios"
<brianantispam(_at_)aol(_dot_)com> writes:
I wouldn't mind hearing from the SPF experts as to why extending SPF and
making the algorithm more complicated buys us anything over a simple A
record check?
No one is talking about extending SPF. SPF was was extended to
support HELO checking a long time ago.
I don't think anyone is claiming that the HELO checking supported by
SPF is optimal. It does, however, allow for some things that simple A
RR checking can not. Consider:
www.example.com. IN A 1.2.3.4
www.example.com. IN TXT "v=spf1 -all"
Checking the A record would allow www.example.com to be used in the
HELO command. Checking the SPF record would deny it.
In <41BDB07F(_dot_)1090305(_at_)ols(_dot_)es> David <david(_at_)ols(_dot_)es>
writes:
acouple of things about it:
a) rfc says what everybody must use in the helo, maybe it will be better
to just enforce it.
RFC2821 also says that you can't enforce it.
b) why complicate spf with helo checking when all this checking could be
avoided by viruses/spam just using the correct ip literal in the helo
Many mail admins reject on IP literals.
c) helo checks in spf do not exist,
Please stop claiming things that are obviously wrong. SPF HELO checks
have existed in limited forms for +18 months and as an option for all
cases for 6+ months. This can be verified by simply checking the SPF
specs and the many SPF implementations.
So people
is publishing spf records without thinking that the rest of the world
will use them to check his helo's, so it's not good to use spf to
check the helo when the spf record publishers has not published it
for this purpose
This is not true if people either 1) read the SPF specs, or 2) use the
SPF wizard at spf.pobox.com.
-wayne