Mailing List Archive

)On Mon, 12 Jan 2009, Alessandro Vesely wrote:

> > > We need a way to use *one record* for both the MAIL FROM and HELO checks.
> > > Very few domains publish SPF records for each and every HELO name. I
> > > don't
> > > believe "evangelism" will ever change that.
> >
> > That is trivial too. You can pick any name you wish for HELO, including
> > a domain the same as MAIL FROM.
>
> However, doing so discards the possibility to use the helo name as a "better
> and cheaper rDNS", that you mentioned earlier in this thread. In addition, the
> sender would fail those draconian HELO-to-DNS checks, if the MAIL FROM domain
> doesn't have the corresponding A record.

Yes, I don't recommend the practice. But it *is* the only way to
have one SPF record for both MAIL FROM and HELO domains (by making them
the same domain). If anything, that should underscore why you don't
really want the same MAIL FROM and HELO policy.

If you have lots of MTAs behind a NAT, then wildcards could do the trick:

*.example.com TXT "v=spf1 a -all"
*.example.com A 1.2.3.4

If they all have different IPs, then a script or smarter authoritative
DNS (PowerDNS) is in order.

The point is, there is no big problem that a competent admin can't easily
handle.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

Stuart D. Gathman wrote:
> Yes, I don't recommend the practice. But it *is* the only way to
> have one SPF record for both MAIL FROM and HELO domains (by making them
> the same domain). If anything, that should underscore why you don't
> really want the same MAIL FROM and HELO policy.
>
> If you have lots of MTAs behind a NAT, then wildcards could do the trick:
>
> *.example.com TXT "v=spf1 a -all"
> *.example.com A 1.2.3.4

However, those records are not recommended by rfc4408.

> If they all have different IPs, then a script or smarter authoritative
> DNS (PowerDNS) is in order.
>
> The point is, there is no big problem that a competent admin can't easily
> handle.

Based on my experience, I would agree. However, I see no record for,
say, *.google.com nor, e.g., mail-bw0-f19.google.com. Does that imply
that google's admins are not competent? More likely, they just didn't
find the time to do it.

Given the fact that most domains have no host record, we should
consider if SPF adoption is being hindered by too much complexity. Is
it be worth to slightly change the specs to account for that?


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com

Please stop sending me these emails' I don't know you or your group, what these emails are about, and why you are sending them to me.
____________________________________________________________
Click here for free information on consolidating your debt.
http://thirdpartyoffers.juno.com/TGL2131/fc/PnY6rbuojCJOGjioAOmRMfLaufOY8rDn1VMCBzicsB63aJlUiZzfo/


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com