On 04/06/2006 13:51, Matthew Elvey wrote:
From the soon to-be Experimental RFC:
It is RECOMMENDED that SPF clients check not only check the "MAIL FROM"
identity, but also separately check the "HELO" identity ....
...
SPF clients MUST check the "MAIL FROM" identity.
...
At the time of this writing, many otherwise legitimate E-Mails are
delivered with invalid HELO domains.
As I and others have said before, the HELO check ought to be a MUST as
well.
What happened? IIRC, it was made mandatory at some point. Was the
change lost/in an offshoot draft and not incorporated/changed
back/wishful thinking? Fixable?
IIRC, this was discussed on this list as the post-MARID drafts were being
worked. The primary goal of RFC 4408 was to document v=SPF1 as currently
deployed. A secondary goal was to leverage lessons learned from MARID and
operational experience to improve the standard.
If HELO checking had been promoted to a MUST, then many/most existing
implementations would have been non-compliant with the standard. Breaking
the historical linkage to null Mail From for HELO checking and recommending
checking it as a stand alone entity was the most that could be done without
breaking backwards compatibility.
That aside, SHOULD means do so unless you have a good reason not and so SHOULD
is plenty of argument for anyone who wants to do HELO checking.
Scott K
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com