spf-discuss
[Top] [All Lists]

Re: Sending mail from dynamic IP-addresses with dynamic PTR hostnames, but constant EHLO/HELO hostnames

2005-05-26 01:03:30
Constantine A. Murenin wrote:

On 25/05/05, Bill Taroli <bill(_dot_)taroli(_at_)billsden(_dot_)org> wrote:
How about putting a TXT record into your various "example" zone files,

each specifying a SPF policy of "v=spf1 mx a:home.example.name ?all".
Once you're satisfied things are working well, "?all" might go to "~all"
or "-all"

[...] As of today, the page <URL:http://spf.pobox.com/mechanisms.html#a> reads:

"All the A records for /domain/ are tested. If the client IP is found
among them, this mechanism matches."

That's if you just use "a" on it's own. If you qualify it with a name or IP address, it only applies to that. Likewise, by using "mx" without qualification, it means "any mx in this domain".

Is there a way to utilise the EHLO/HELO hostname, which is provided by

the MTA in the greetings part of smtp? I.e., I want to say that every
MTA that claims to have a hostname of format *.example.name, provided
that the domain resolves to the MTA's IP-address, is permitted to send
my mail. That is much more simple and straightforward, isn't it? :-)
And it does not reveal the structure of my network to strangers, does
it?


You'll have to explain a bit more about exposing the structure of your network.before it sinks in, I suspect. If I understand, I might not suggest calling your home MTA "home". :-) Why not call it "honeypot" instead? ;-)

The /format/ of the name isn't as important as the second part of your statement, which is the point. If you set up your policy such that a given host X matches your policy statement, then it will pass and signal to the receiver that you authorize that sender to do so on behalf of the domain in which the SPF policy appears.

If you know that the host(s) in question will all be MTA's (aka MX), then just use "mx". But I don't know how that insulates you from sharing the "structure" of your domain, since all I have to get to learn what your MTA's names are is "dig <domain> mx". *shrug* So maybe I'm missing part of your point.... I'm slow sometimes. ;-)

Bill