>7208 actually recommends that the HELO string be evaluated every time. > http://trac.tools.ietf.org/html/rfc7208#section-2.3
They do say to check it both times but I don't agree with the rationale provided. Expanding on the excerpt that Laura provided: 2.3. The "HELO" Identity It is RECOMMENDED that SPF verifiers not only check the "MAIL FROM" identity but also separately check the "HELO" identity by applying the check_host() function (Section 4) to the "HELO" identity as the <sender>. Checking "HELO" promotes consistency of results and can reduce DNS resource usage. [tzink] How does this reduce DNS resource usage? Aren't we now checking two domains instead of one? If a conclusive determination about the message can be made based on a check of "HELO", then the use of DNS resources to process the typically more complex "MAIL FROM" can be avoided. [tzink] Disagree here, especially the case of shared hosting environment like Office 365. Customers relay spam through us and sometimes that spam will fail SPF checks. Yet, if you checked the SPF record on the HELO string (e.g., na01-bn1-obe.outbound.protection.outlook.com), that would pass an SPF check every time whereas the @paypal.com in the MAIL FROM would fail SPF. Seems like you can only be sure you can trust the HELO when you are sure the sender locks down the outbound mail infrastructure, and that is not the case everywhere. Additionally, since SPF records published for "HELO" identities refer to a single host, when available, they are a very reliable source of host authorization status. Checking "HELO" before "MAIL FROM" is the RECOMMENDED sequence if both are checked. [tzink] They are for a single host but not necessarily for a single organization or even a series of organizations with the same set of policies. It seems like this RFC does not have a mult-tenant hosted environment in mind, and that is becoming more common. -- Terry > 7208 actually recommends that the HELO string be evaluated every time. > http://trac.tools.ietf.org/html/rfc7208#section-2.3 > > "2.3. The "HELO" Identity > > > It is RECOMMENDED that SPF verifiers not only check the "MAIL FROM" > identity but also separately check the "HELO" identity by applying > the check_host() function (Section 4) to the "HELO" identity as the > <sender>. Checking "HELO" promotes consistency of results and can > reduce DNS resource usage." > > laura > > -- > Laura Atkins > Word to the Wise "The Deliverability Experts!" > Direct: 650 678-3454 Fax: 650 249-1909 > @wise_laura > Delivery blog: <http://blog.wordtothewise.com/> _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc