At 18:00 13/01/2010 Wednesday, Stuart D. Gathman wrote:
Here is a little nit that wasn't addressed in RFC4408. If HELO SPF says
to reject, but SPF for MAIL FROM says Pass, which takes precedence? For
spfv1, I think we are stuck with "receiver policy" (especially since
checking HELO is optional). Should we specify a precedence for spfv3?
Make HELO check a MUST? Or keep HELO optional, but give precedence to
MFROM?
Here is an example for the latter. Set SPF for HELO to "v=spfv3sdg -all".
This has the effect of saying "this server only legitimately sends
MFROM with SPF" (with MFROM taking precedence).
We would probably need to specify the whole matrix of MFROM vs HELO
SPF results.
I hate to say it but on this we could take a leaf from M$
ie in spf3
add manditory /scope
v=spf3/helo rest of record...
or
v=spf3/mfrom rest of record...
or for those wanting to send from and helo as the same domain
v=spf3/helo/mfrom or spf3/mfrom/helo
but i would suggest not allowing that and forcing either
v=spf3/helo
or/and
v=spf3/mfrom
also i'd suggest when using the record to evaluate helo any ?all ~all -all be
treated equal as helo is a simple pass/fail scenario
also when evaluating helo currently it evaluates postmaster(_at_)helo i would
suggest we could even drop the ?all ~all +all and [localpart related macros]
from the helo evaluation syntax
additionally as i suggested previously it would also allow us to subsume those
that use/check sender-id by allowing those that believe in that mess to add
v=spf3/pra to their mix
{but to treat records as only applicable to the scope as published}
ie so when i publish a
v=spf3/mfrom ............ -all
v=spf3/helo -all
for my domain it explicitly says i have no host heloing as "alandoherty.net"
test mfrom and never attempt-to-validate pra
likewise i could publish a much smaller spf for bigsvr.alandoherty.net
v=spf3/mfrom -all
v=spf3/helo ........ -all
instead of the one atm that through macros and wildcard DNS validates only
postmaster(_at_)bigsvr(_dot_)alandoherty(_dot_)net so outgoing service users
cannot send from @bigsvr.alandoherty.net
to handle users only publishing a partial scope id recomend
users publishing no v=spf3 records for a domain would be defaulted to spf1 or
lacking that
equivalent to
v=spf3/mfrom assumed pass
v=spf3/helo assumed pass
users only publishing a v=spf3/mfrom on a domain
must be assumed to have a v=spf3/helo of -all {NEW}
users only publishing a v=spf3/helo on a domain
must be assumed to have a v=spf3/mfrom which passes
and it would be hoped that all spfv3 checking functions would always check helo
if fail thats it!
if pass or assumed pass due to no record then continue on to check the mfrom
details
i know its how i code my checks currently, but as so few even bother to put up
any spf for helo-domains it would be great to see it a mandated check, but
still pass for those forced to use an ISP relay with no spf for its helo
i do also think adding syntax to mfrom spf checks to explicitly say "if the
helo didn't pass/have an spf, dump" would be unnecessary for those with all
their own MTA's as they wont allow attempted use of their mfrom from outside
those hosts they control.
so if it gets to the mform check the sender already passed helo check, or had
no helo SPF, if they had no helo SPF, what chance is their that their sending
IP is in the allowed range for the mfrom
-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/
[http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com