Re: [dmarc-ietf] Ticket #1 - SPF alignment

"Murray S. Kucherawy" <> Fri, 29 January 2021 20:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4B0AD3A12AF for <>; Fri, 29 Jan 2021 12:31:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RIYNCs8ekUwk for <>; Fri, 29 Jan 2021 12:31:02 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::92c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DDB0C3A12AE for <>; Fri, 29 Jan 2021 12:31:01 -0800 (PST)
Received: by with SMTP id g13so3611413uaw.5 for <>; Fri, 29 Jan 2021 12:31:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=eSEqgLZzjI+fpe/nhn+9SNtFTtNPDoGK99x9ykrkkyU=; b=dQmxmCt5deac59lNFxBfQO/cVRK1SnDQdu2mOyJBxOUT6yO1n1AWGgRnkLoedEWCzk u4o2jVqG2NPQ3lwLapdo2SyjHthaUphFj+BEfY3uUZ8bJ2hQL5FFBA+A/pMLQXT5DYLD /x6GNd3sDNyGG7z4Fjk+fDkyhWU3VUfHREEIXjqJFaEkPChGi/Ugd0ZlVrKLNUuS8Fxg EWWUs+EeaFwwJCy2VJUrFxyAfAPdwxB/JzUhRROf8BcLlK1F0uac555D7EpJAi2tl9vN p92WMkXbeUru9HE8oIW+GIp9qshxRCeupzRqKt6Vw+EKKMxUnB/J15FqM5DzuBJ3eE9B 4hwg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=eSEqgLZzjI+fpe/nhn+9SNtFTtNPDoGK99x9ykrkkyU=; b=QX+PX/rWS0vSxm2pjuRY9F+aAdcw6/cF79WnTp3CuhN5PAdlAlyfXZjPFKNDd/tA40 vdJ4AErNZnrApzVj2VTy/XN7fkD9z1TzJdQvn0LPdbugXUHjBdvJoCHZdAlBgcSEGVIf IP4mN4nBkOyaKuSvD0kPlNFQlGkVWM4q0ahC1PGMwDJGKPowC2ArkLO3XBQx0ACsX2lC fQ4IbgIzEUxF+eqWOkcobu3f6Uj7uYUsCncT0NMjfJ/N5RbLZWRe1yQHpghp3z4Mwcpv NU2crq4kEYevn0kaH5pwEK4Kv0xZKutQT8MWPtCnqd0meCKFjuhBMKhh8SJn1RH1xiLk zSyQ==
X-Gm-Message-State: AOAM531xMYeqYNMavrHgCwsBthGbZjvDGaPf2FFQzTcepQl+o4p8atDq RV685Y3v9/117yYSUqaMl+2P2hLj4UFwz3CCNkvHiKhSGsY=
X-Google-Smtp-Source: ABdhPJzQeYWOYyXtAyGASRXnUOCLqIV8LQbRHaDu3n8U/kD8jZi0RvHRVDL6DKNWflTVbR6iNHf5veV/sLxuvP00XRk=
X-Received: by 2002:a9f:2628:: with SMTP id 37mr3902932uag.87.1611952260802; Fri, 29 Jan 2021 12:31:00 -0800 (PST)
MIME-Version: 1.0
References: <> <1655426.E2olI3CrJK@zini-1880> <> <3776619.NdRDDhGtae@zini-1880> <> <> <> <> <>
In-Reply-To: <>
From: "Murray S. Kucherawy" <>
Date: Fri, 29 Jan 2021 12:30:49 -0800
Message-ID: <>
To: Alessandro Vesely <>
Content-Type: multipart/alternative; boundary="000000000000e66d5e05ba0fe140"
Archived-At: <>
Subject: Re: [dmarc-ietf] Ticket #1 - SPF alignment
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 29 Jan 2021 20:31:03 -0000

On Fri, Jan 29, 2021 at 3:02 AM Alessandro Vesely <> wrote:

> I just run a quick test on my current folder.  Out of 3879 messages I
> extracted
> 944 unique helo names.  721 of these matched the reverse lookup exactly.
> Out
> of the 223 remaining, 127 had an SPF pass for the helo identity anyway.
> So in
> 96 cases, roughly 10%, the helo name was indeed junk.  Isn't the remaining
> ~90%
> something worth considering?

I am admittedly quite heavily biased against using the HELO/EHLO value for
anything.  I have simply never found value in it, probably because at the
SMTP layer it's simply a value that gets logged or used in cute ways in the
human-readable portion of SMTP.  I seem to recall (but cannot seem to find
at the moment) RFC 5321 saying you can't reject HELO/EHLO based on a bogus
value, so it's even explicitly not useful to me.

Even if it's not junk, there's pretty much always something else on which
to hang a pass/fail decision about the apparent authenticity of a message
that at least feels safer if not actually being more sound.  Or put another
way, if you present to me a DKIM-signed message with a MAIL FROM value and
the only thing that passes is an SPF check against HELO, I'm mighty

Anyway, I'll let consensus fall where it may.