spf-discuss
[Top] [All Lists]

Re: [spf-discuss] SPF on HELO - take 2

2009-01-07 17:45:41
On Wed, 7 Jan 2009, Don Lee wrote:

The question here is not a technical one, but a marketing one.
... 
SPF can be used to vet HELO/EHLO between MTAs.  This is non-controversial,
and effective to prevent some kinds of spoofing.  Checking SPF on
HELO/EHLO enables reputation checking of MTAs.  This is all
goodness.  No downside.  No FUD.

I want to have this conversation - stand-alone.  I want to .  I want this
convince certain admins and authors to implement SPF checking on HELO/EHLO.
Without crystal clear guidance from SPF "authorities",
that's proven difficult.

As an (expired) SPF council member, HELO SPF is a no brainer.  That is why it
doesn't get discussed much. :-)

Agreed.

On that topic, when SPF is not available, I consider a HELO name
with an A/AAAA record that matches the connecting IP as good as an
SPF pass for reputation purposes.  SPF just lets the MTA admin be
more flexible with IP assignment for their MTAs.

This is actually not true.  SPF is quite a bit better than a match between
IP and fwd/reverse DNS.  The biggest reason is that SPF says explicitly
that the admin of the IP and domain authorize mail to be sent from that
IP.  On the other side, there are both lots of DNS/IP combinations that
have "matching" entries that have no business sending mail.  (ex:
ppp123.321.22.34.dynamic.bogoisp.com.ru)  There are also various reasons
for _valid_ IP/DNS combinations to "not match". (insert long discussion
here about details and issues, plus a dash of FUD)

SPF is a much more accurate, simpler test.  In the absence of SPF, A/AAA
and IP checking is better than nothing. ;->

Furthermore, no user education (to use SMTP AUTH for instance) is required
to get the full benefits of HELO SPF.  Only admin education.

As you say, all goodness, no gotchas.

Exactly.

[resisting urge to throw in another point about the much more interesting
topic of MAIL FROM SPF and "forwarding" ...]

;->

-dgl-


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com