At 02:22 PM 1/27/2007 -0500, Stuart D. Gathman wrote:
On Sat, 27 Jan 2007, David MacQuigg wrote:
> SPF could expand its scope to include a robust check of the HELO name, but
> until that happens, SPF authorized senders can simply publish
"helo=spf" at
> _auth.<domain>, and anyone using our Registry take that as permission to
> REJECT any use of their name that doesn't pass the HELO check.
There is already an op=helo draft standard. Other standard options
in the draft are:
op=pra "it is ok to use this SPF record for PRA checking"
op=nohelo "do not check HELO for this SPF record"
op=helo "reject this domain in HELO unless SPF gets PASS"
op=auth "We've taken steps to prevent cross customer forgery
for SPF PASS"
Combine the options with dot, eg.
v=spf1 op=helo.auth a -all
I cannot find this draft in a Google search of "op=helo". How often do you
see an op=helo in an SPF record? Why isn't it part of the SPF draft? What
are the objections to using op=helo?
If the use of op=helo becomes widespread, I will rely on it in constructing
our Registry records. This could instantly elevate an ID status from
"default" to "authoritative", and allow us to REJECT at HELO without an
_auth record, a signup at our website, or some other signal from the sender
that his SPF record is to be taken seriously in checking HELO. Until then,
we must follow a conservative strategy and use entire IP assignments for
senders with default records. These default records don't allow a REJECT
at HELO, but they do allow us to accumulate stats for our reputation database.
I see an opportunity here for SPF to become much more useful, without any
downside. For most SPF records, the HELO and Return Address authorizations
should be one and the same. For those that need to maintain a difference,
RFC-4408,section 5.2 already has a strong suggestion that
"administratively-independent domains" (i.e. forwarders) be authorized with
'include' terms. That could be made mandatory with op=helo. Keeping a
clear distinction between local transmitters and forwarders will allow a
robust authentication of local transmitters even if the entire record must
end in ?all.
I know there is a perception that this use of SPF records is somehow
competing with or "hindering" SPF adoption to use Seth's word. I don't
know if I answered Seth's criticism adequately, but if anyone shares this
perception, let's discuss it more fully.
I'm still optimistic. There is no good reason for a sender to *not* limit
his HELO addresses, just inertia.
-- Dave
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735