spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: followup: Re: [spf-discuss] libspf2 sample programs

2007-01-04 12:18:26
from [Don Lee] [Permanent Link] 
On Thursday 04 January 2007 13:35, Don Lee wrote:

SPF HELO is a very low cost check, but does not match as often as Mail
From (not everyone has published SPF records for HELO, but they should). 
HELO checks are a VERY reliable way to reject messages.  It is unlikely
to produce false positives.

Additionally, what will you check if you get mail from <>?


It is not clear on the web site, or in "common parlance" that
SPF is designed for, or to be used for, HELO.  I am looking into
using it on HELO, and am getting pushback from admins that this
is an abuse of SPF, and not "supported".

Is there a definitive statement I can point to that declares that this
usage is OK?


If you look in the SPF RFC, RFC 4408, it is not only OK, it is recommended:

http://www.openspf.org/RFC_4408#helo-ident

HELO was not in the very early SPF proposals, but it was included as an 
optional check for quite some time before the final RFC.


Corollary: is there instruction in the SPF setup "wizards" that gives
guidance to admins to make sure that SPF records support HELO
checking?


It does now:

http://www.openspf.org/FAQ/Common_mistakes

Scott K


Great.

There is a lot of controversy with SPF and its interactions with relaying
when used on from:, so I don't want to go there.

HELO checking - it seems to me - is a straightforward, reliable, and
effective way to "tighten the noose" on the spammers.  If every domain
published SPF, and every HELO were checked vs. SPF, then the HELO names
could be considered reliable, and you could trust your e-mail headers, which
in turn would provide a minimal audit trail for e-mail.

That would be a big step forward, and I don't see a good reason not to
do it.

There is incentive for the domain owners to prevent forgery of their
HELO domains, and incentive for the e-mail admins, who are always
looking for cheap, easy ways to figure out if a connecting MTA is
"legit".

-dgl-

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to http://v2.listbox.com/member/?list_id=735
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: followup: Re: [spf-discuss] libspf2 sample programs, Scott Kitterman
Next by Date:  Re: followup: Re: [spf-discuss] libspf2 sample programs, Scott Kitterman
Previous by Thread:  Re: followup: Re: [spf-discuss] libspf2 sample programs, Scott Kitterman
Next by Thread:  Re: followup: Re: [spf-discuss] libspf2 sample programs, Scott Kitterman
Indexes:  [Date] [Thread] [Top] [All Lists]