At 12:01 PM 1/9/2009 -0600, Don Lee wrote:
Are there any cases where the SPF records that were "intended" for MAIL FROM
would be misleading or otherwise harmful if used for HELO? My conclusion
is that there are no problems here. All SPF records published should be
usable to safely vet MTA connections as outlined in this thread.
I can not think of any cases where an SPF record intended to allow
a MAIL FROM domain of XXX would exclude XXX in HELO checking.
The problem is, if we reject at HELO, based on an SPF record for MAIL FROM, we
are re-interpreting the SPF record in a way that the domain owner may not have
intended. Even if there is no intention that there be a discrepancy, it can
occur because HELO checking using SPF records is so rare. A few years ago, I
wanted to use the SPF record from rr.com, with over 1 million authorized
addresses, to reject at HELO. I got assurance from the postmaster at rr.com
that their SPF record listed *all* of their transmitters. I noticed that his
message to me was from a transmitter not on his list. "Oh that's just one of
our administrative servers." He didn't feel it was necessary to make any
changes!!
I would like to REJECT anyway. The postmaster at XXX will see the SMTP REJECT
immediately. The fix is simple - just change either the HELO name or the SPF
record, so there is a match.
I won't do this without consensus in the SPF community.
-- Dave
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com