[Top] [All Lists]

[spf-discuss] SPF adoption - HELO vs FROM

2008-01-05 11:42:18
I want to remind everyone on the list that we are all pushing for the
same thing - we want SPF to become a more widely used tool to
reduce abuse of the e-mail system.

There are two places in the SMTP "stream" where SPF can be useful.  One is
at MAIL FROM time when a server can check return addresses.  The other is
at HELO time when servers "greet" one another.  

The former is the subject of a lot of debate, and has lots of
complications because there are a lot of people who cling to a lot
of traditional (bad?) practices.  It is clear that changing behaviors
in these areas is a struggle.

The latter is a much clearer win.  Over time HELO data provided by an incoming
server is seeing more authentication scrutiny because it is a useful
predictor of bad behavior.  That scrutiny is forcing server
operators to provide RFC-compliant HELO data that can in turn be
checked with SPF.  An SPF check on HELO is completely without "false positive"
risk AFAIK because it is checking the HELO name vs. the connecting server IP,
not the desired (or forwarded) identity on the message.  SPF checks on HELO
are not sufficient, because the owner of the domain providing SPF data
could be a spammer, but the check allows reliable whitelisting of servers,
so at least you could say with some certainty "This message came from a
reliable server".

Let's push harder on the HELO checking.  Once done, and in common use,
we can take the next step of sorting out the obstacles to getting
SPF used in message identities and return paths.


Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/735/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/735/
Modify Your Subscription: 
Powered by Listbox: http://www.listbox.com