spf-discuss
[Top] [All Lists]

Re: [spf-discuss] SPF on HELO - take 2

2009-01-08 12:49:30
Scott Kitterman wrote:
On Thursday 08 January 2009 09:42, Alessandro Vesely wrote:
SPF on HELO can add or subtract a few points from a
spam score, and I'm not sure whether that deserves being highlighted
as a prominent feature for marketing purposes.

I disagree. Rejecting mail with an SPF HELO result that is not Pass/None is quite safe and low cost.

Yes it is, but only newbie spammers so ingenuous as to use a prohibited domain name for their HELO identity will produce a fail.

Many entities reject mail where forward/reverse DNS don't match (AOL for one).

According to http://postmaster.aol.com/guidelines/standards.html they merely check for a consistent PTR record. I found no mention about HELO identity requirements.

Even more reject for lack of rDNS. So rejecting mail for faulty HELO/EHLO is quite well established even if the RFCs are behind (as usual).

Hm... Senders BCPs at MAAWG mention that the HELO name /should/ be the same as that delivered by rDNS. However, I suspect most MTAs just check that a consistent rDNS/DNS pair exists (what wikipedia calls a "FCrDNS" (http://en.wikipedia.org/wiki/Forward_Confirmed_reverse_DNS))

SPF HELO checks add to this and are an easy win that do not have any of (from my view small, but still real) downsides of rejecting mail based on SPF Fail for Mail From.

CSV and David's _auth mechanisms do that check with much less effort and more reliability than SPF --those mechanisms provide for denying an IP to send mail for a given domain. Besides possible misconfiguration, there should be no downside in blocking prohibited senders.

If a server is acting as a MSA (submission agent) then for submission, I totally agree that rejecting based on HELO/EHLO issues is unsound, but you shouldn't check SPF at all in that case.

Correct.

For MTA to MTA transactions, what is unsound about rejecting mail from a non-existant HELO name or one where the HELO name A record don't match?

Setting a matching HELO name may be cumbersome when using NAT, multihomed hosts, VPNs, and the like. IMHO, checking the domain name should suffice.



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com