d) also if you want to protect your helo using spf you will have to
do more than one workaround, in some cases you will not be able
to do it without restrictions, and in most cases you will have to
publish more complicated spf records that will require more than
one dns lookup.
Yes, this is another concern (that of HELO protection) that was raised over
here that I didn't mention in my original post, but is a good point. It
seems if you want to use the SPF solution to check the HELO, you have to
create overly complicated DNS records to ensure the receiver's query results
in a FAIL on forged HELO string such as a.a.a.a.forged.example.com. Without
these records in place, the receiver simply receives a "record doesn't
exist". Whereas with an A lookup, at least for the transition period to
full acceptance, they receiver would get a FAIL.
In the meantime and as helo checks are now (but only now) useful, why
not separate it from spf, make a simple and fast spf like variation
for them and use it until everybody has a strictly rfc
compliant helo ?
I guess that's the crux of my orginal question. With either HELO checking
solution, we're going to have to push the internet community in one
direction that they are not currently going. Either A) SPF checking the
HELO or B) Correct A records setup for their HELO strings.
So why go with the SPF option when the A record option seems easier and
gains us just as much, protection with an faster implemention cycle?
-Brian.
Brian Barrios
703.265.7456 / IM: BrianAntiSpam
Antispam/Postmaster Group - America Online, Inc.