spf-discuss
[Top] [All Lists]

Re: [spf-discuss] RFC 4408 : HELO checking still just RECOMMENDED???

2006-04-06 11:14:07
On 04/06/2006 13:51, Matthew Elvey wrote:
From the soon to-be Experimental RFC:

  It is RECOMMENDED that SPF clients check not only check the "MAIL FROM"
  identity, but also separately check the "HELO" identity ....
  ...
  SPF clients MUST check the "MAIL FROM" identity.
  ...
  At the time of this writing, many otherwise legitimate E-Mails are
  delivered with invalid HELO domains.

As I and others have said before, the HELO check ought to be a MUST as
well.

What happened?  IIRC, it was made mandatory at some point.  Was the
change lost/in an offshoot draft and not incorporated/changed
back/wishful thinking?  Fixable?

IIRC, this was discussed on this list as the post-MARID drafts were being 
worked.  The primary goal of RFC 4408 was to document v=SPF1 as currently 
deployed.  A secondary goal was to leverage lessons learned from MARID and 
operational experience to improve the standard.

If HELO checking had been promoted to a MUST, then many/most existing 
implementations would have been non-compliant with the standard.  Breaking 
the historical linkage to null Mail From for HELO checking and recommending 
checking it as a stand alone entity was the most that could be done without 
breaking backwards compatibility.

That aside, SHOULD means do so unless you have a good reason not and so SHOULD 
is plenty of argument for anyone who wants to do HELO checking.

Scott K

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

<Prev in Thread] Current Thread [Next in Thread>