spf-discuss
[Top] [All Lists]

RE: [spf-discuss] Re: "pretend" MAIL FROM

2007-03-14 01:52:27
Stuart D. Gathman wrote on Tuesday, March 13, 2007 11:53 AM -0600:

A -> user(_at_)forwarder(_dot_)com -> final(_at_)receiver(_dot_)com
                         Checks for PASS on forwarder.com
                         (HELO is something else like mx19.forwarder.com,
                          with no easy way to list them all)

The reason you have to apply the list of your users' trusted forwarders
is because the zone cut method for finding the parent domain of an HELO
FQDN is deprecated.  Every outbound relay in a domain needs its own SPF
record to get a HELO pass, which is fine for domains that want this, but
a PITA when you have to supply your own local records for someone else's
domain.

This suggests another related guessing method:  apply the list of
synthetic local SPF records during the HELO test when the HELO name does
not pass, and treat a pass as a HELO pass.  Alternatively, treat a PASS
as it's own entity in the reputation system:  guessed HELO.  Yet another
alternative is to implement a zone cut algorithm for the HELO name, but
restrict it to the local DNS resolver to avoid abusing DNS.  Since this
extension is clearly _not_ SPF (the sender did not publish this record),
the recipient is arguably not bound by the requirement to perform
checkhost() on MAIL FROM in the RFC in the case where the guessed HELO
pass result gives a strong enough reputation score to whitelist (or
blacklist).

--
Seth Goodman

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to http://v2.listbox.com/member/?list_id=735