spf-discuss
[Top] [All Lists]

Re: [spf-discuss] SPF on HELO - take 2

2009-01-10 12:25:32
At 05:54 PM 1/9/2009 -0600, Don Lee wrote:

At 3:16 PM -0500 1/9/09, Scott Kitterman wrote:
On Friday 09 January 2009 15:03, Stuart D. Gathman wrote:
On Fri, 9 Jan 2009, Scott Kitterman wrote:
AFAIK, no.  There are people that will argue layer violations, but I'm
completely unaware of any real situations where it would be problematic.

RFC4408 explicitly says to apply SPF to HELO for empty MAIL FROM.
I guess the leap here is to apply it to HELO for all MAIL FROMs.

It's not much of a leap.  It's recommended:

http://www.openspf.org/RFC_4408#helo-ident

"It is RECOMMENDED that SPF clients not only check the "MAIL FROM" identity, 
but also separately check the "HELO" identity by applying the check_host() 
function (Section 4) to the "HELO" identity as the <sender>."

We're coming up on the third anniversary of RFC 4408.  I think it's 
reasonable 
to assume that using an SPF record for HELO should not be a suprise.  I'm 
unaware of it ever causing an actual problem.

Scott K

I detect emphatic agreement on this thread.  I will work on the text/patches
in question and present it to this list this weekend.

Think big.  This may be an opportunity to make SPF records serve both purposes, 
not just an afterthought on the HELO check.  As for layer violations, a "helo" 
option could show the publishers intent to offer a simple, robust HELO check 
(layer 1), even if the record ends in ?all because of worry about mishandling 
the MAIL FROM check (layer 2).

Here is my suggestion for an "all purpose" SPF record, covering both the HELO 
and Mail From Identities:

1) Use IP4, MX, and A terms to list your own HELO addresses.
2) Use INCLUDE terms to list the domains of other Agents who handle your 
outgoing mail.
3) Minimize your use of other terms.

-- Dave 





-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com