Re: [mailop] Why an SPF hard bounce on ~all ?

Fri, 28 Jun 2024 08:04:35 -0700 

Hello,
That is very intersting, and would explain what is happening. Thanks for the clarification. 

Thank you
Ted
easyDNS Technologies

On 2024-06-28 06:06, Alessandro Vesely via mailop wrote:

On Thu 27/Jun/2024 21:41:39 +0200 Adam D. Barratt via mailop wrote:

On Thu, 2024-06-27 at 14:50 -0400, Ted Smith via mailop wrote:

That conbined with the hard fail indicated could account for the
rejection of the message, except that I don't understand why the SPF
check would be done for the helo hostname of the forwarding server,
and why that result would take precidence over the SPF result for the
actual sender domain.

 Since SPF is supposed to verify that the senders, why would postfix-
policyd-spf-python be looking up the SPF record for the helo hostname
of the forwarding mailserver and determining what to do based on
that?  If my explanation is correct there is clearly something I'm
missing about SPF enforcement, or is there some other possible
explanation I'm unaware of?


The usual case where the HELO becomes involved in SPF checks would be
when the mail is a bounce, i.e. has a NULL envelope sender.




That is the restricted use of SPF promoted by DMARC.  The SPF spec 
recommends to preferably use HELO, if available.  Full wording:


   It is RECOMMENDED that SPF verifiers not only check the "MAIL FROM"
   identity but also separately check the "HELO" identity by applying
   the check_host() function (Section 4) to the "HELO" identity as the
   <sender>.  Checking "HELO" promotes consistency of results and can
   reduce DNS resource usage.  If a conclusive determination about the
   message can be made based on a check of "HELO", then the use of DNS
   resources to process the typically more complex "MAIL FROM" can be
   avoided.  Additionally, since SPF records published for "HELO"
   identities refer to a single host, when available, they are a very
   reliable source of host authorization status.  Checking "HELO" before
   "MAIL FROM" is the RECOMMENDED sequence if both are checked.
https://datatracker.ietf.org/doc/html/rfc7208#section-2.3


Best
Ale

_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop






















					Reply via email to