postfix-policyd-spf-perl

FQDN use in HELO SPF request

Asked by David JACQUENS

Hi,

I am slightly confused, my server received an email with a "MAIL FROM" empty.
Therefore the SPF check was done against the EHLO FQDN "mail.example.com"

Postfix got me the result:
 Out: 450 4.7.1 <email address hidden>: Recipient address rejected:
     SPF-Result=mail.example.com: 'SERVFAIL' error on DNS
     'TXT' lookup of 'mail.example.com'

I am getting slightly confused here, when EHLO is used, the SPF is done against the FQDN of the server and not against the domain name? (mail.example.com and not example.com)

Is that right?

Thanks,

David

Question information

Language:
English Edit question
Status:
Solved
For:
postfix-policyd-spf-perl Edit question
Assignee:
No assignee Edit question
Solved by:
David JACQUENS
Solved:
Last query:
Last reply:
Revision history for this message
Scott Kitterman (kitterman) said : 		#1

Have a look at the second paragraph of http://tools.ietf.org/html/rfc4408#section-2.2 - I believe that explains it reasonably well.

Revision history for this message
David JACQUENS (fluo75) said : 		#2

Thanks Scott!
Reading that, if I understand correctly, in my example, the missing "MAIL FROM" is replaced by "<email address hidden>" (since the EHLO is "mail.example.com")
And therefore, the SPF is checked against "mail.example.com" and not against the domain name "example.com"

Am I right or did I missed something?
If that's right, it means that every servers must have its own TXT (or SPF) records, I mean, this is compulsory, not just recommended ?

Thanks again!

David

Revision history for this message
Scott Kitterman (kitterman) said : 		#3

That's correct. To the extent anything in an RFC is compulsory, it is. It's not an optional part of the protocol. That said, it is not uncommon for people not to write an SPF record for the HELO name.

Revision history for this message
David JACQUENS (fluo75) said : 		#4

OK, great.
When reading this http://www.openspf.org/FAQ/Common_mistakes#helo , I thought that was maybe not compulsary but it's very clear now, thanks to you.

Thanks again Scott!!