On Thu, 5 May 2005, Michael Elliott wrote:
Would it not be appropriate to add:
"If the SPF record contains the %{l} macro and the MAIL FROM identity
is not "<>", the HELO identity MUST NOT be checked due to its
indeterminate nature."
This is only a problem if the HELO name is the same as the MAIL FROM domain.
Sane server management would assign a unique name to each MTA. E.g.
smtp01.example.com
smtp02.example.com
etc
Each of those MTA FQDNs will have its own SPF record, and no need for %{l}.
Making the HELO name the same as the MAIL FROM domain causes other problems
unrelated to SPF. For instance, if you have 100 mail servers with the same
name, there need to be 100 A records for that name.
If you do want to use the same name for all your outgoing MTAs, then
at least make it distinct from the MAIL FROM domain:
mailout.example.com
so that it can have its own SPF record for HELO checking.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.