From the soon to-be Experimental RFC:
It is RECOMMENDED that SPF clients check not only check the "MAIL FROM"
identity, but also separately check the "HELO" identity ....
...
SPF clients MUST check the "MAIL FROM" identity.
...
At the time of this writing, many otherwise legitimate E-Mails are
delivered with invalid HELO domains.
As I and others have said before, the HELO check ought to be a MUST as
well.
What happened? IIRC, it was made mandatory at some point. Was the
change lost/in an offshoot draft and not incorporated/changed
back/wishful thinking? Fixable?
It's also true that
At the time of this writing, many otherwise legitimate E-Mails are
delivered with an invalid "MAIL FROM".
Among other things, a mandatory HELO check greatly reduces the issue of
the forwarding problem. Consider an email that passes the HELO check
but fails the MAIL FROM check due to a non-SRS-compliant forwarder...
Sorry if I missed the last discussion of this; I found nothing recent;
all I can find is support for such a change:
http://www.imc.org/ietf-mxcomp/mail-archive/msg04838.html
In a message with the Subject: "Re: [spf-discuss] authorization vs
authentication, HELO checking, header-from scope, exp i28n, Oh my!", On
Mon, 13 Jun 2005 11:07:33 -0500, "wayne" <wayne(_at_)schlitt(_dot_)net> said:
While looking for something else, I stumbled across the following post
of my from Oct 10, 2003:
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200310/0127.html
In it, I complain about the use of authenticate instead of authorize,
I ask for the HELO domain to be verified all the time [,...]
Heh.
Some things never change. ;-)
From: wayne <wayne(_at_)midwestcs(_dot_)com>
Subject: Re: [spf-discuss] new draft RFC under construction
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Date: Fri, 10 Oct 2003 22:49:27 -0500
Reply-To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
In <20031010220236(_dot_)GZ2345(_at_)dumbo(_dot_)pobox(_dot_)com> Meng Weng
Wong
<mengwong(_at_)dumbo(_dot_)pobox(_dot_)com> writes:
...
...
2. Designating SMTP Clients
Participating domains publish SPF records to indicate that only
certain hosts are permitted to send mail using that domain in the
envelope sender. In the case of a null envelope sender, the domain
from the HELO/EHLO command is tested instead.
Couldn't/shouldn't the HELO/EHLO domain be verified all the time?
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com