On Thursday, February 4, 2021 7:50:22 AM EST Alessandro Vesely wrote: > On Wed 03/Feb/2021 19:12:26 +0100 John Levine wrote: > > In article <[email protected]> you write: > >>On Tue 02/Feb/2021 20:13:42 +0100 John R Levine wrote: > >>> It's existing practice and I see no reason to change it. > >> > >>Software changes all the time. If we change, ... > >> > > Urrgh. There are still MTAs that haven't been updated from RFC 821. If > > you want a real standard, the closer you can make it to what the > > running code does, the most likely it will work. > > How about this: > > NOTE: Historically, SPF was focused on the mfrom identifier. The helo > identifier was retrofitted later, in order to account for delivery > status notifications. Earlier DMARC specifications followed suit. > Subsequently, it turned out that SPF records for the helo identifier are > actually sharper than those for mfrom, thereby making successful helo > verifications very reliable. However, in the vast majority of cases the > mfrom identifier is aligned with the main DMARC identifier, while the helo > identifier often does not have a corresponding SPF record. Therefore, the > common practice of using just the SPF result of mfrom unless empty is still > a valid heuristic. > > ?
I really think we should just stop. Independently of if your note is a good idea (I really don't think it's needed), it's also inaccurate. As written it implies that HELO checking was added to SPF after DMARC was developed. HELO checking was added in 2004 or earlier. When was DMARC defined? Please just stop. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
