OpenDMARC icon indicating copy to clipboard operation
OpenDMARC copied to clipboard
verified publisher icon trusteddomainproject

SPF: do the “MAIL FROM” check after the “HELO” check

Open dilyanpalauzov opened this issue 6 years ago • 3 comments

OpenDMARC can perform the SPF checks and adds the result in an Authentication-Results: header. The specification gives an example of such a header:

   Authentication-Results: myhost.example.org; spf=pass
     smtp.mailfrom=example.net

but at the same time the specification recommends to check both the “MAIL FROM” and “HELO” identities, with “HELO” being first.

Looking at the code in opendmarc_spf.c:173, it looks like OpenDMARC prefers to perform only the “MAIL FROM” check, when it can.

  • Tweak OpenDMARC to perform the MAIL FROM check after the HELO check, if the HELO check was not sufficient.
  • When both checks are performed, record the output of both of them in the Authentication-Results header.

dilyanpalauzov avatar Jul 26 '19 10:07 dilyanpalauzov

As of https://tools.ietf.org/html/rfc7489#section-3.1.2 in the context of DMARC only the mailfrom SPF check is used.

dilyanpalauzov avatar Sep 10 '19 04:09 dilyanpalauzov

@dilyanpalauzov This behavior was correct by the IETF pre-release, however this is an issue that will need to be addressed. I'll add it to the triage list, and look at seeing how the OpenDMARC milter should be modified to perform checks in the order specified.

martinbogo avatar May 22 '20 00:05 martinbogo

It seems to me that the decision on HELO identity being not relevant (recorded in file CVE-2019-20790) makes this issue obsolete. There is no point in doing the HELO check if it will not be used in any case.

glts avatar Jul 30 '21 14:07 glts