If you publish SPF records for
HELO identities only, then there will be 1 A or IP4 mechanism in the SPF
record - one query per authentication, just like the CSV standard. The
extra cost and complexity comes when validating MAIL FROM.
SPF does the HELO check only after doing the MailFrom check.
That's at least two queries, assuming none of the power of the SPF descriptive
record is used.
The ambiguity that requires using two different domain names is inherent in
conflating the semantics of mailfrom and helo into a single mechanism.
d/
---
Dave Crocker
Brandenburg InternetWorking
+1.408.246.8253
dcrocker a t ...
WE'VE MOVED to: www.bbiw.net