Frank Ellermann wrote on Wednesday, January 10, 2007 5:08 PM -0600:
For SPF the X could be the HELO identity with an SPF PASS - and how
the next hop (receiver) arranges his list of known-to-be-good
forwarders is his local business. "Known to be good" should
obviously include "I've already checked SPF, don't bother to do it
again, besides it won't work because I refuse to do SRS for
[insert reason]".
Running checkhost() against HELO when MAILFROM does not result in SPF
pass is a reasonable fallback and will work for forwarders who set HELO
properly. SPF fail on MAILFROM plus SPF pass on HELO implies a properly
RFC2821 forwarded message. This is fine, as long as recipients
understand what it means.
SPF pass says the domain owner trusts the designated mail hosts to send
mail on behalf of their domain. "On behalf of" means different things
depending on which identity you check. For MAILFROM, it means any
message claiming that domain name in the return-path. While the domain
asserts nothing more, their domain name in the return-path implies they
are the originator, which can indirectly confirm the FROM domain if it
also matches, even though the domain makes no assertion about this. For
HELO, SPF pass means that the designated mail host is authorized to use
the domain name in a HELO string. It suggests nothing about the message
originator and you have no idea if the return-path is valid.
If you apply reputation to the domain of each query that gives SPF pass,
it probably doesn't matter which identities you queried. If the
distinction between originating spam and forwarding it proved useful
(doubtful), you could maintain two separate reputation lists.
--
Seth Goodman
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735