http://www.openspf.org/RFC_4408#op-checking
"A mail receiver can perform a set of SPF checks for each mail message it
receives. An SPF check tests the authorization of a client host to emit mail
with a given identity. Typically, such checks are done by a receiving MTA,
but can be performed elsewhere in the mail processing chain so long as the
required information is available and reliable. At least the "MAIL FROM"
identity MUST be checked, but it is RECOMMENDED that the "HELO" identity also
be checked beforehand."
One point that I think got missed when we switched from HELO checking only if
Mail From = <> to full time HELO checking is the 'requirement' to always
check MAIL FROM.
There is no benifit to checking MAIL FROM after a HELO fail if the receiver
policy is to reject on HELO FAIL. I think that last sentence would have been
much better if it said:
"It is RECOMMENDED that the "HELO" identity be checked before the "MAIL FROM"
identity. If the "HELO" check does not produce a definitive policy result
(e.g. a decision to reject a message due to a "HELO" FAIL result), then
the "MAIL FROM" identity MUST be checked."
Comments?
Scott K
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735