Carl, In general the only case where SPF would be checked against the HELO identity is if the MAIL FROM is blank, as is typically the case for Out-of-Office messages and Non-Delivery-Reports.
However...the SPF specification (RFC 4408) section 2.1 says: It is RECOMMENDED that SPF clients not only check the "MAIL FROM" identity, but also separately check the "HELO" identity by applying the check_host() function (Section 4 <http://tools.ietf.org/html/rfc4408#section-4>) to the "HELO" identity as the <sender>. And section 2.3 says: [RFC2821] allows the reverse-path to be null (see Section 4.5.5 in RFC 2821 <http://tools.ietf.org/html/rfc2821#section-4.5.5>). In this case, there is no explicit sender mailbox, and such a message can be assumed to be a notification message from the mail system itself. When the reverse-path is null, this document defines the "MAIL FROM" identity to be the mailbox composed of the localpart "postmaster" and the "HELO" identity (which may or may not have been checked separately before). SPF clients MUST check the "MAIL FROM" identity. SPF clients check the "MAIL FROM" identity by applying the check_host() function to the "MAIL FROM" identity as the <sender>. Based on all of that, my recommendation is that you make sure you publish an SPF record for each HELO name used by your mail servers so that the empty MAIL FROM case is handled. Receivers may choose to check SPF against your HELO name in other cases as well, but since they MUST check the MAIL FROM identity you really only need to worry about the HELO name when the MAIL FROM is blank. I hope this helps! John Wilson On Mon, Mar 25, 2013 at 6:17 PM, Carl S. Gutekunst <[email protected] > wrote: > > Question 3: the absence of a SPF resource record in DNS for a domain, >>> would it mean SPF-mechanism-authentication fail in DMARC for all email sent >>> from that domain? >>> >>> >> >> 3. Yes...if your envelope-from domain has no SPF record, that is >> considered an SPF-fail for DMARC purposes. >> > > But if the HELO Identity has a valid SPF record...? Isn't that supposed to > be checked before the MAIL FROM Identity? > > I'm trying to push for clarity on this one issue because it doesn't seem > to be implemented consistently, and with DMARC it's starting to really > matter. > > <csg> >
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
