no other SPF checks are considered trusted if HELO/EHLO doesn't pass
RFC 4408 doesn't state that "no other SPF checks are considered
trusted if HELO/EHLO doesn't pass." Your assertion is instantly
falsified by testing w/the baked-to-order pySPF toolset on the
website.
When using the postmaster(_at_)HELO as a synthetic MAIL FROM, there is no
other SPF check to run to be RFC compliant, so there can be no "chain
of trust." Checking both HELO-as-HELO and postmaster(_at_)HELO-as-MAIL-FROM
(which will in most cases be redundant) is an option, but also hardly
a "chain of trust."
An edge case in which a PASS on HELO (as opposed to NONE or any other
result on HELO) might be a constant prerequisite when sending to a
given server is if that server has the custom policy "if *any*
checkable part of a given envelope has a published SPF record, then
*all* checkable parts must have published SPF and PASS." Or, of
course, a policy that requires PASS on HELO for every connection,
period. Such policies may be interesting, but beyond RFC.
--Sandy
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com