Dave Crocker wrote:
SPF does the HELO check only after doing the MailFrom check.
No, that would be stupid. You've confused it with the special
case of MAIL FROM:<>.
[2.2]
| SPF clients MUST check the "MAIL FROM" identity unless HELO
| testing produced a "fail".
[2.4]
| For example, finding the sending host on a local white list
| may cause all other tests to be skipped and all mail from
| that host to be accepted.
The future draft -01, if it ever gets published, will replace
the MAY for HELO-checks by a SHOULD.
The ambiguity that requires using two different domain names
is inherent in conflating the semantics of mailfrom and helo
into a single mechanism.
If you don't like the sender policy you've got for a HELO FQDN
ignore it. Nothing forces you to evaluate policies that are
overly complex or confusing. One way to implement it could be:
- try CSV, exit with HELO-result if found
- try SPF, exit with HELO-result if policy is simple enough
- try CSV quasi-zone-cut steps 2..6 up to second level domain
Max. 8 DNS queries for my definition of "simple" (1+5 for CSV,
q=spf, q=txt for an overly complex = ignored SPF). Bye, Frank