Re: [spf-discuss] Using SPF op=helo for HELO Authorization
2007-01-29 11:07:01
At 02:22 PM 1/27/2007 -0500, Stuart D. Gathman wrote:
There is already an op=helo draft standard. Other standard options
in the draft are:
op=pra "it is ok to use this SPF record for PRA checking"
op=nohelo "do not check HELO for this SPF record"
op=helo "reject this domain in HELO unless SPF gets PASS"
op=auth "We've taken steps to prevent cross customer forgery
for SPF PASS"
OK, I found the draft (draft-ellermann-spf-options-01). Doesn't look like
op=helo will do what we need, however. Section 3.2 of the draft refers to
"the FQDN given in a HELO command", and I assume this means the complete
hostname, not just the domain name which we are using as the transmitter's
ID. If I understand it correctly, this option offers basically the same
functionality as CSV, requiring an authentication record for each and every
host, which we can't expect domain owners to do.
We need a way to generate a complete list of authorized HELO addresses by
"compiling" an SPF record. We can't ignore ?all, ptr mechanisms,
%{macros}, and other stuff that prevent such a compilation unless there is
some signal from the domain owner stating that this is his intent.
So as things stand now, and if my understanding of op=helo is correct, we
will keep the "helo=spf" option in our _auth records, as a convenience for
domain owners who publish SPF records and want us to use the same set of
addresses in their Registry record. I'm working now on a webtool that will
allow domain owners to experiment with their SPF records and see if they
compile as expected. See http://open-mail.org/webtool.html As always,
suggestions are welcome.
Again, Registry records are not intended to "compete" with SPF
records. Where there is overlap in the information provided, we will try
to follow the design principle that it is best to keep information in one
place only, both for convenience, and to avoid "synchronization" problems
when that information is updated in one place but not the
other. "helo=spf" is not an "ad-hoc" addition to our records, but part of
what I hope is a simple, well-planned syntax. Typical _auth records look like:
_auth.example.com. TXT "helo=mx,a"
_auth.example.com. TXT "service=S1,H2 method=CSV,SPF,SID,DK
helo=SPF,216.183.71.48/30"
In the first record, we assume that the domain owner doesn't use SPF, or
perhaps prefers that we ignore his SPF record in the HELO check. In the
second record, we assume the /30 block is for some reason *not* listed in
the SPF record for the domain, so the domain owner added it here.
See http://open-mail.org/files/Records.html for more detail.
-- Dave
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- [spf-discuss] Re: forwarded mail being bounced (by spf check), (continued)
- [spf-discuss] Re: forwarded mail being bounced (by spf check), Frank Ellermann
- [spf-discuss] SPF basics commentary, Don Lee
- Re: [spf-discuss] SPF basics commentary, David MacQuigg
- Re: [spf-discuss] SPF basics commentary, Stuart D. Gathman
- Re: [spf-discuss] SPF basics commentary, David MacQuigg
- [spf-discuss] Re: SPF basics commentary, John A. Martin
- RE: [spf-discuss] Re: SPF basics commentary, Seth Goodman
- Re: [spf-discuss] Re: SPF basics commentary, David MacQuigg
- Question: [spf-discuss] Re: SPF basics commentary, Don Lee
- Re: Question: [spf-discuss] Re: SPF basics commentary, David MacQuigg
- Re: [spf-discuss] Using SPF op=helo for HELO Authorization,
David MacQuigg <=
- Re: [spf-discuss] Using SPF op=helo for HELO Authorization, Stuart D. Gathman
- Re: [spf-discuss] Using SPF op=helo for HELO Authorization, David MacQuigg
- Re: [spf-discuss] Using SPF op=helo for HELO Authorization, Stuart D. Gathman
- Re: [spf-discuss] Using SPF op=helo for HELO Authorization, David MacQuigg
- Re: [spf-discuss] Using SPF op=helo for HELO Authorization, Stuart D. Gathman
- Re: [spf-discuss] Using SPF op=helo for HELO Authorization, David MacQuigg
- RE: [spf-discuss] Using SPF op=helo for HELO Authorization, Seth Goodman
- [spf-discuss] Domain reputation system design (was: Using SPF op=helo for HELO Authorization), Julian Mehnle
- Re: [spf-discuss] Domain reputation system design (was: Using SPF op=helo for HELO Authorization), Stuart D. Gathman
- [spf-discuss] Re: Domain reputation system design, Julian Mehnle
|
|
|