On Sat, 9 Jul 2005, David Woodhouse wrote:
superfluous. In every case, you'll actually be checking against some
domain name which was generated at the sending server, not checking
against the domain of the original sender. So you might as well just be
using the name which the sending server gives in HELO, instead of the
domain in the reverse-path.
Not quite. A MAIL FROM domain can have many HELO names. For example,
AOL has hundreds. By validating MAIL FROM instead of HELO,
there is only one domain representing hundreds of HELO names.
Even my small business customers generally have 2 to 4 MTAs, each with
a unique HELO name for outgoing mail. For example, they have branch offices
with a server at each branch office.
The other advantage of SPF is that it has a 'none' result. I would
*like* to reject mail from servers with an invalid HELO name, but
the majority of my customer's correspondents have servers with an invalid
HELO name (e.g. 'JUPITER' seems to be popular). I suppose I could
treat the malformed names like 'none', and only reject the well
formed names that don't resolve to the correct IP.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.