"Roger Moser" <Roger(_dot_)Moser(_at_)rama(_dot_)pamho(_dot_)net> writes:
Lloyd Zusmann wrote:
I'm writing to you directly, because I don't believe that my question is
pertinent to the general mailing list.
For some reason your reply was still sent to
<spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>.
Yeah ... for some reason I forgot to change the address before sending
this reply. :)
But I can see now that this might be of general interest, so I'll keep
my response in this list.
When you say "the return-path is not empty", I assume that you're
referring to the envelope sender, correct?
I meant the "MAIL FROM" address. Also called "envelope sender", "return
path", "reverse path", "bounce address", or "2821 FROM".
Note that the following applies only in the case of an empty "MAIL FROM"
address.
[ ... ]
If I'm understanding this, it sounds like you are suggesting that the
HELO string is only checked here in the case of an empty return path,
correct?
No, the HELO string is checked if it is a valid host name with at least one
dot. (See below.)
But based on what you wrote above, I only perform this check of the HELO
string in the case of an _empty_ "MAIL FROM" address, which is what I
was asking about here. So OK, I am following this so far.
By what you wrote, it seems that you suggest that the mail be _accepted_
here if there's an empty return path and HELO string is _not_ a valid
name. Am I misunderstanding?
The HELO string is not checked if is not a valid host name with at
least one dot, because there is nothing to check. You may reject such
mail or not, but that is the receiver's policy.
Ah ... I get it now. When you write "checked", you mean checked via
SPF.
Out of curiosity, what is the general consensus as to the value of
rejecting mail with non-valid hostnames in the HELO string?
Otherwise, if there is an SPF record, check the SPF record.
... check the SPF record on the return path? on the "mail from" string?
on the HELO string? on more than one of these?
Check the SPF record of the HELO string. (The "MAIL FROM" address is empty.)
Got it.
Otherwise, use the SPF record "v=spf1 a ~all" or "v=spf1 a -all".
I suggest "~all" and not "-all". ('Best guess' policies must not have
"-all").
BTW. If you are doing SES (signed envelope sender) for outgoing mail, then
if the "MAIL FROM" address is empty, you don't have to check the HELO
string. You only have to check if the "RCPT TO" address is a valid address
signed by you.
Roger
Thanks for all of this. It's now much clearer to me.
--
Lloyd Zusman
ljz(_at_)asfast(_dot_)com
God bless you.