Lloyd Zusmann wrote:
I'm writing to you directly, because I don't believe that my question is
pertinent to the general mailing list.
For some reason your reply was still sent to
<spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>.
If the return-path is not empty, check the SPF record for the MAIL FROM
domain and do not check the HELO string.
When you say "the return-path is not empty", I assume that you're
referring to the envelope sender, correct?
I meant the "MAIL FROM" address. Also called "envelope sender", "return
path", "reverse path", "bounce address", or "2821 FROM".
Note that the following applies only in the case of an empty "MAIL FROM"
address.
Otherwise, if the HELO string is not a valid host name with at least
one dot, accept the mail.
If I'm understanding this, it sounds like you are suggesting that the
HELO string is only checked here in the case of an empty return path,
correct?
No, the HELO string is checked if it is a valid host name with at least one
dot. (See below.)
By what you wrote, it seems that you suggest that the mail be _accepted_
here if there's an empty return path and HELO string is _not_ a valid
name. Am I misunderstanding?
The HELO string is not checked if is not a valid host name with at least one
dot, because there is nothing to check. You may reject such mail or not, but
that is the receiver's policy.
Otherwise, if there is an SPF record, check the SPF record.
... check the SPF record on the return path? on the "mail from" string?
on the HELO string? on more than one of these?
Check the SPF record of the HELO string. (The "MAIL FROM" address is empty.)
Otherwise, use the SPF record "v=spf1 a ~all" or "v=spf1 a -all".
I suggest "~all" and not "-all". ('Best guess' policies must not have
"-all").
BTW. If you are doing SES (signed envelope sender) for outgoing mail, then
if the "MAIL FROM" address is empty, you don't have to check the HELO
string. You only have to check if the "RCPT TO" address is a valid address
signed by you.
Roger