spf-discuss
[Top] [All Lists]

Re: Re: HELO versus MAILFROM results

2005-05-05 13:00:18
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Radu Hociung wrote:
Stuart D. Gathman wrote:

On Wed, 4 May 2005, Radu Hociung wrote:


Ok, the entity "mail.com Inc." owns some 100 (maybe more) domain names
that it offers free forwarding accounts at. A brief sampling is below:



Gotcha.


So tell me, what SPF records go where and why, and what information can
the recipient assert based on the SPF records?



No useful SPF records are possible for gardener.com unless they
also offer SMTP AUTH service for sending mail.


I think what you intend is the following:

gardener.com = v=spf1 +all

... Because mail.com has no idea where the various clients send from.



Exactly.

Mail.com needs to provide SMTP AUTH service before SPF is useful for its
domains.



Check!

As a free service, the gardener.com domain does not provide relay
priviledges through mail.com's servers.

The question still is ... what should the out45.us4.outblaze.com TXT
record read?

Keep in mind that that same outgoing server may also serve lawyer.com,
which is a paid service, and does provide SMTP AUTH service, and may
publish an SPF record.

So the case is simple: the same outgoing MTA is used both for a free
service (for which no SPF record is possible), and for a paid service
(which may publish an SPF record).

The question remains.... what should out45.us4.outblaze.com publish as a
TXT record, and how will this work when the user at comcast gets mail
from Rose and from the Lawyer?

That TXT record will be fetched when comcast checks the HELO with SPF.

What flavor is the sky?

The domain for the From: is irrelevant to checking HELO or MAIL FROM.
In fact, the domain for MAIL FROM is irrelevant to the SPF check
for HELO, since HELO is only checked for MAIL FROM <>.

The SPF record for out45.us4.outblaze.com should probably be "+a -all"
(or the tuned equivalent), since no other machine, even at outblaze.com,
should be claiming to be out45.us4.outblaze.com.

As simple as that.

- --
Daniel Taylor          VP Operations            Vocal Laboratories, Inc.
dtaylor(_at_)vocalabs(_dot_)com   http://www.vocalabs.com/        
(952)941-6580x203
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCentS8/QSptFdBtURAq5MAJwKVINw7zUU6XTqVWSfAfMOPBGCowCfV5yp
r5hzepIIqyfDon3LrdXALWU=
=zZz8
-----END PGP SIGNATURE-----