----- Message from Alan Hodgson <ahodg...@lists.simkin.ca> ---------
Date: Thu, 20 May 2021 13:48:48 -0700
From: Alan Hodgson <ahodg...@lists.simkin.ca>
Subject: Re: KAM_SENDGRID and SPF_HELO_NONE
To: users@spamassassin.apache.org
And yes, SPF falls back to testing the HELO host if the envelope sender is
empty (which should only occur in bounces or auto-responses).
Whilst the thread has passed on beyond this, this incorrect statement
needs to be corrected.
The SPF RFC states (rfc7208 2.3):
It is RECOMMENDED that SPF verifiers not only check the "MAIL FROM"
identity but also separately check the "HELO" identity by applying
the check_host() function (Section 4) to the "HELO" identity as the
<sender>. Checking "HELO" promotes consistency of results and can
reduce DNS resource usage. If a conclusive determination about the
message can be made based on a check of "HELO", then the use of DNS
resources to process the typically more complex "MAIL FROM" can be
avoided. Additionally, since SPF records published for "HELO"
identities refer to a single host, when available, they are a very
reliable source of host authorization status. Checking "HELO" before
"MAIL FROM" is the RECOMMENDED sequence if both are checked.
...and at 2.4:
SPF verifiers MUST check the "MAIL FROM" identity if a "HELO" check
either has not been performed or has not reached a definitive policy
result by applying the check_host() function to the "MAIL FROM"
identity as the <sender>.
A HELO SPF check is most certainly not a "fall-back".
Whether the SPF checking tool used follows the RFC is another matter
entirely :-)
Simon.
--
Simon Wilson
M: 0400 12 11 16
