On Wednesday, November 14 at 09:35 PM, quoth Nikolay Shopik:
And HELO in SMTP is entirely unreliable, unverifiable, and on many servers completely skippable.
RFC says you SHOULD use FQDN for HELO nothing more. But still you can add SPF record for your HELO so nobody can foged your server HELO, thats it.
To quote RFC 821:
The HELO receiver MAY verify that the HELO parameter really
corresponds to the IP address of the sender. However, the receiver
MUST NOT refuse to accept a message, even if the sender's HELO
command fails verification.
If you prefer RFC 2821:
An SMTP server MAY verify that the domain name parameter in the
EHLO command actually corresponds to the IP address of the client.
However, the server MUST NOT refuse to accept a message for this
reason if the verification fails: the information about
verification failure is for logging and tracing only.
In practice, what that means is that HELO is useless for doing much of anything. Spammers or other criminals can forge your server's HELO to their hearts content and you are expressly forbidden from actually doing anything about it.
SPF does not override the existing standards.
And in any case, SPF HELO checks are a pointless exercise, since HELO is permitted to be anything at all without affecting the envelope of the message. A spammer can create his own domain, publish his own SPF settings that explicitly allow email from any source, and use that domain as his HELO string.
~Kyle
I believe that every human has a finite number of heart-beats. I don't intend to waste any of mine running around doing exercises. -- Neil Armstrong