IETF Logo Mail Archive

Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lookup Count Inconsistencies

Mark Alley <mark.alley@tekmarc.com> Sun, 15 January 2023 17:31 UTC

Return-Path: <mark.alley@tekmarc.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7DD6C14CE29 for <spfbis@ietfa.amsl.com>; Sun, 15 Jan 2023 09:31:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=tekmarc.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d08qRD0WwVYY for <spfbis@ietfa.amsl.com>; Sun, 15 Jan 2023 09:31:28 -0800 (PST)
Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9E15C14F74B for <spfbis@ietf.org>; Sun, 15 Jan 2023 09:31:28 -0800 (PST)
Received: by mail-qt1-x82b.google.com with SMTP id g9so8396002qtu.2 for <spfbis@ietf.org>; Sun, 15 Jan 2023 09:31:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tekmarc.com; s=google; h=in-reply-to:autocrypt:references:to:from:content-language:subject :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=eeMiB6JOWSZeitzVd+TrkKXryrvdHDNZzAieLpwYCzI=; b=dACVoCHtCl0p6WlV6ewjQUPAIw4VRZR/LVdvFnub7+InCGgS08caOLtMAAByyt/1bI TVY7hq3YYSB0BPvUcX0ksVqJ8R9Hymw6L9ZhiMjzOj40wyKskiIKsNPx45pjYzpAfFA5 JruVDPbpxNNXxMx2QTH3KVlMTHTNPvuAPW5AkmsU0loD6ACq6TVComTIi5je12hZuCgX qFosSr/A7YpNOwejfZ/XsFCa8I0JXcIpG8cVXinGRDJemMno5GR7CKrgQt6JqExF1u6i z4IrJUZa647nltTyYz8+Og6v9vMlcaeBGUqJNneNGxGkDWjkhONmpby1T0RQPgQnTPvy wA3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:autocrypt:references:to:from:content-language:subject :user-agent:mime-version:date:message-id:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=eeMiB6JOWSZeitzVd+TrkKXryrvdHDNZzAieLpwYCzI=; b=JPAO04Rc5dtrrmTYTMh+78ywbU+8AC9ILiaIAm8LSuqMYYLCnIXMFf2e2IwXtVZmk4 gtIPzBpnkAffgH08pcQsBkiIDN+0CKUbJw/eAQOZZpnAnvyfrWoUZqA3QT2WXuD/tlkn ZK+v2AgYEvinXe0Y7tL/eduOwdoz6RjlVL1HK4tOBdwejGXrzxxLwal7zpY9mp0lccWB MnEg4dDZRm18+FDPeTCRRzGkmVjTwqcA/7L/uDpdfQYy2oVoTbanb/D1iMyd/5hONI3A RoX6HYNMupFYS7uKYQgAA59z12vSwxgOYG2l7rR8Q1nKx38yIIh49TCOmnE3mwMrgri3 piDQ==
X-Gm-Message-State: AFqh2ko0FMFAmm5o4tHdGRFhjSVphhE6tSBQCgPwJo0UTpZMTlN0kIrp GiQkROa+jlCZzobAcuAQ/1GLM87gL1URfCJaVOw=
X-Google-Smtp-Source: AMrXdXs2oPLcQDevr+9StPSa7qU41mbWHe92Ovewg445wRkLQlrK5ZCdbzyyzRZfCtJj/eCd9QIBNw==
X-Received: by 2002:ac8:4685:0:b0:3b6:2c10:a3e1 with SMTP id g5-20020ac84685000000b003b62c10a3e1mr5938865qto.57.1673803887100; Sun, 15 Jan 2023 09:31:27 -0800 (PST)
Received: from [192.168.2.20] (162-238-103-217.lightspeed.brhmal.sbcglobal.net. [162.238.103.217]) by smtp.gmail.com with ESMTPSA id y10-20020a05620a25ca00b006fa4cac54a5sm16615363qko.72.2023.01.15.09.31.26 for <spfbis@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 15 Jan 2023 09:31:26 -0800 (PST)
Message-ID: <557a8265-d9df-0aa7-a03f-7785cd2194d6@tekmarc.com>
Date: Sun, 15 Jan 2023 11:31:25 -0600
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.6.1
Content-Language: en-US
From: Mark Alley <mark.alley@tekmarc.com>
To: spfbis@ietf.org
References: <79ac443e-b0ee-6598-cec0-9cf32c3dc1d1@tekmarc.com> <886d02b9-d5e9-5f91-70a9-2603764e5d6c@tekmarc.com>
Autocrypt: addr=mark.alley@tekmarc.com; keydata= xsFNBGOqGVEBEAC4wlUuECSqCjZgjn2sFPxBDm1jN66t7kFm5KyjjHYBey1HTjrjJTmb3XQB /zbTSWZPN96HNA5j3EH/TGfN4SogIgFiLkznOHooMECdCdtr8ARE9EesWQmfB96Q5XGga3FW 4MuXzNOAcQHmN1evG/dMUrGGsa2bUUWfa70FM1eM8xNspkZGmvyPAvsEP39xnaMFoqYkvYBB At2IHadM1mgDd2vWCUF31K8CSwin8RIbMehfny99Jbee6toz4qdJGjKK6ZQG3iDrMqiAEAEb NxAvZ0LPLgBF5/NDw6DVkfVOyN3Cnu7QIo3o1g5NhfhabDHctuH3AlbUsoW0lewNEbbok6Rp 9uktfiTZImvLMoMFOf30GrrViCwCOa51A/LIP68QWSTR/fEBatMD+KbaKJekTW47+7TfLfat hVLCq3wA3s5mVyJBLk0Vsv9aFgDMQJvqU7auOC3mLubwYbO9CVtd24JibeayMl7PGeNf7g2k PUHAR+6vZosFJCDZc1gOeQiZr8N7ZFPopsBmY28tzI3ejGohxcmJw+8NNt2leTgNvLtMZw+J jV8yHETIUdJvQmj5ed3uvoVZo4jLhU/sp2xO7LajsxtWpUMLcfbLAYDsL0E/bMIZsfyiRew3 JVOLpuAoc9yjkFbdfVyCxSERcc/IPX6C2bgwio7fuevNWhPqNwARAQABzSNNYXJrIEFsbGV5 IDxtYXJrLmFsbGV5QHRla21hcmMuY29tPsLBhwQTAQgAMRYhBHSDfsuM4bG2uOcUm+N6I8TQ TwQJBQJjqhlYAhsDBAsJCAcFFQgJCgsFFgIDAQAACgkQ43ojxNBPBAnW/g/+J9vwKOHRIOwS FW804/SwlgE308OJmKiJuTJV7MKWw5zRZ7Ct9dO6W2Rzl8eQOHtUk1tTfsWHdSvjvW2k5C2F IK6twVOgjPnkbVra+jktVE7tdBJPy9FXWHmlbU+UjNr3VGX+qktBbWu2WKRwjLg9NaZhXQBH LRLHGGkj/VXVvAsqWh6G+UJbXnz+RwMv77JKrpOlx1vD2AOlXPRLb7ZgBWc2hn+gtAxX3Jmb TTnJMV3tTvIR82M0m/c/4vEj6IV3egRuNmgRHEEeRJi3VYGOF6UTA4mZaeNKLzF35bM0shHS KzS9scGWKnbYKfmITeJViw5pCk0nkYMXRjRrX5i2XebltBO06yLBqeq0xxn7vjVD+WA6mfEv 4AxoUYNP9sDuTwulccujHjOwo+832cfN1d0HYkpWzOBRvvksiekaMQrxt25dpvTjJmwh8GHc Cs1tD1Oqj03TKv9uJ6ANFBOBKWk3tpNp498BTBRr8ZqCyz3zL/3nZRBtM3aKx3vSGTKXgvy2 c5lTPe/ksmRjC+gndDSwSNLFnL7lGOobdAX5MqfjlJiONlAq180zDDVBMzVzdZwnCFU4yWdU A1x1HFSW35wuLEFdYp3tsTTUGrUARe1b4gQsGWlP5I39XVuW61nNI/uyAauFcx+2LID1Yjkq 60FGqL0rlxURpOe6jyEOk+vOwU0EY6oZWQEQALk2rfhVplWFecVk7RgX2F7S/FRwK99hKRf/ CNCvkG0UXBUq9H6p6I0AJNb4bxrEy8iJuffSWlSAC07Ofg3UA8UWKgzxmqeERaN4UO1NJAoU 1DWxDoBaeqiEC7/7yJc0aLhxvm5OwNQykZwVdJ/xgFQ3VBkJn+P1KZ7UTXaAg7gvAWh4znPY CDzvWkvGGbJcJzY5+QZQYjVEP1ZDqsCZymLU4KKI5DfA+jYggPR+/hWwadZ3KMGVOd7CzvSZ KP3bhA6FyR+szzRh+xH/MJyVZl1KrASz62ZZ7TmcNfLWSnQqZq736fVm6bdVOHMwlFq2ndGi 1TABqX2Bzvbkq3EMw/fIWeyK/vSw2433XtUF3qo/WYPUPdBJAO3wWTTxCeLcguFSJRMX2Myc vAT/pXdIo0/AFOLzQzBAOJWNPkUG7NcYMZlMBCzJaxvCgw/hQym/YUA6oG3k45X55JeCSV8j uRL4RAedvvc5dxdOPOpmou41IjyYqX0rKUSFDnyWh1gvYvSxcEHS6V4zoHBhBjf6oh6unLx6 DLAMuT4yl/8Kc7zVvSJMsB0onXo5Ag1pjEJ6NDTZMf1UXLjVc4CG1nSmQnVwsjB6RU9zD9Di 1P12TRUpUUw7NkM5kbPUZpONLdRQN79MiPIatUyGawIYROMtbGAM3qlLMtGV5eNykiw+Xl/h ABEBAAHCwXYEGAEIACAWIQR0g37LjOGxtrjnFJvjeiPE0E8ECQUCY6oZXwIbDAAKCRDjeiPE 0E8ECWEgD/9BSRPBYtbeU7hQj/7LScdWVngzSvLpGXRPCfTNRTAEEjitVHnJ99XHnAib6y0p 1e/0Gtm9m2n3/zGNA4w/tEf9FRWdlL+3GMlY963XWW5RjKxABF0GuKUENNM9MZ0f+wvyhyEW DJ8ep+3eqgaW4/wssbad1Eww26gYIKnBThNnVNvDYZztzAYHk3ayoD3ewPzbDyaosCBTE0fh voMyrcYN74oHdHx6o2irX22TiZ0+D/PQ+33oS9/sirPuw6Li+ED5A/81h7/CuT6gLDHKkuW/ 6mRAoTdOOV6c8c6V95NoNSAioIFFPqKZYIfX03IqqRst+HuOKOavERFmeoXANTDNRNR7/1rt vW8J9tarMH5N9VMewM9ktju2iuAs8nzuDhpctmGNdf7s4CWsoAlHuTleECEMBWHkHyIt5VjI XhtOJUl0BRmzkxKb6vJS5J8w/co61Ovq6ya3RsqsBEqc/szR8kX2m6n2nOPJmqTsHUe+XXMq +M9CZVlOrXkDoVCCbs6P8QuhNDcWqOkGYXIsDGQavclPaHwwsvf8Z3Wu73kQcMWdzmr8W7A4 hlVr9qLSLxJCn9ZLz84Fon4nPlGrfBQpKtB5gvyTCw6Kq5ca7FMtVkeiIn2HI+6Um8ytK1K7 N008Qxh74D6PI7S7gJt1SzBmAcQOL8omJng61C5B1fUncg==
In-Reply-To: <886d02b9-d5e9-5f91-70a9-2603764e5d6c@tekmarc.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------rAkwSlWagATi2wXE3t27c95p"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/K_z1H8WBYYrcypQrXsYLYYmNzOQ>
Subject: Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lookup Count Inconsistencies
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Jan 2023 17:31:33 -0000

Apologies - clarifying missed typos, results should reflect the below.

Permerror on >10 IP addresses total across all MX name records (sum) - No
Permerror on >10 IP addresses per MX name A record result - No

On 1/15/2023 11:23 AM, Mark Alley wrote:
>
> I did some experimenting with several receivers to determine major 
> consumer ESPs/filters interpretations of the MX lookup section I 
> brought up before. Below are the various potential interpretation 
> results (including incorrect ones).
>
> It appears that most receivers do not implement this particular 
> section at all for an unknown reason. So far, of the filters I've 
> tested/had access to, Proofpoint and SpamAssassin both interpret the 
> second section of the MX lookups as expected (Permerror on >10 MX name 
> A records), but *no* ESP I have tested with appears to include the MX 
> RRs to the SPF record DNS lookup count as one would expect per the 
> existing language.
>
> Perhaps is there a valid reason there seems to be this many 
> inconsistencies with this particular section's implementation?
>
>
> *SpamAssassin:*
> Permerror on 10 IP addresses total across all MX name records (sum) - No
> Permerror on 10 IP addresses per MX name A record result - No
> Permerror on >10 MX name A records - *Yes*
> Permerror on 9 MX name records and 2 or more additional DNS term 
> lookups - No
>
> *Proofpoint:*
> Permerror on 10 IP addresses total across all MX name records (sum) - No
> Permerror on 10 IP addresses per MX name A record result - No
> Permerror on >10 MX name A records - *Yes*
> Permerror on 9 MX name records and 2 or more additional DNS term 
> lookups - No
>
> *Google:*
> Permerror on 10 IP addresses total across all MX name records (sum) - No
> Permerror on 10 IP addresses per MX name A record result - No
> Permerror on >10 MX name A records - No
> Permerror on 9 MX name records and 2 or more additional DNS term 
> lookups - No
>
> *Exchange Online:*
> Permerror on 10 IP addresses total across all MX name records (sum) - No
> Permerror on 10 IP addresses per MX name A record result - No
> Permerror on >10 MX name A records - No
> Permerror on 9 MX name records and 2 or more additional DNS term 
> lookups - No
>
> *Outlook:*
> Permerror on 10 IP addresses total across all MX name records (sum) - No
> Permerror on 10 IP addresses per MX name A record result - No
> Permerror on >10 MX name A records - No
> Permerror on 9 MX name records and 2 or more additional DNS term 
> lookups - No
>
> *Yahoo:*
> Permerror on 10 IP addresses total across all MX name records (sum) - No
> Permerror on 10 IP addresses per MX name A record result - No
> Permerror on >10 MX name A records - No
> Permerror on 9 MX name records and 2 or more additional DNS term 
> lookups - No
>
> *Zohomail: *
> Permerror on 10 IP addresses total across all MX name records (sum) - No
> Permerror on 10 IP addresses per MX name A record result - No
> Permerror on >10 MX name A records - No
> Permerror on 9 MX name records and 2 or more additional DNS term 
> lookups - No
>
> *Fastmail:*
> Permerror on 10 IP addresses total across all MX name name records 
> (sum) - No
> Permerror on 10 IP addresses per MX name A record result - No
> Permerror on >10 MX name A records - No
> Permerror on 9 MX name records and 2 or more additional DNS term 
> lookups - No
>
> *AOL:*
> Permerror on 10 IP addresses sum total across all MX name records - No
> Permerror on 10 IP addresses per MX name A record result - No
> Permerror on >10 MX name A records - No
> Permerror on 9 MX name records and 2 or more additional DNS term 
> lookups - No
>
>
> - Mark Alley
>
> On 1/13/2023 2:09 PM, Mark Alley wrote:
>>
>> Hi all, I have two questions about section 4.6.4 regarding "mx" 
>> mechanism DNS lookup counts during SPF evaluation that I would like 
>> some guidance on. I haven't been able to find anything regarding this 
>> topic specifically in the ML archive aside from one niche topic 
>> relating to the MX AAAA ipv6 queries counting as void lookups.
>>
>> ------------------------------------
>>
>> First, checking logic implementations of the "mx" mechanism DNS 
>> lookup count of various SPF validator tools compared to the logic 
>> described in section 4.6.4, I discovered implementation 
>> inconsistencies that have led me to question what the "correct" logic 
>> is for counting MX lookups in an SPF record. There are 12 SPF 
>> validators on the internet that seem to skip over this during lookup 
>> counting (many from well-established vendors), and only 3 that do not.
>>
>> So, given this, based on the below information, which is the correct 
>> counting interpretation?
>>
>> There is a domain - katrinafox.com - which has an SPF record that 
>> looks like this:
>>
>> /v=spf1 +a +mx +ip4:35.213.205.66 include:_spf.mailspamprotection.com 
>> ~all/
>>
>> Breaking down DNS lookups manually, we get this:
>>
>> 1 - "a" mechanism
>>
>> 4 - "mx" mechanism (1 initial MX record lookup, +3 A/AAAA MX names 
>> returned)
>>
>> 4 - "include" mechanism (1 initial include lookup, +3 recursive includes)
>>
>> Per the first paragraph of section 4.6.4, it reads as such: "/When 
>> evaluating the "mx" mechanism, the number of "MX" resource//records 
>> queried is included in the overall limit of 10 mechanisms///modifiers 
>> that cause DNS lookups as described above."/
>>
>> My interpretation is that the language is clear; the MX names (A/AAAA 
>> RRs) returned by the MX query are counted against the overall 10 
>> lookup count of the evaluated SPF record. Leaving this domain's SPF 
>> record with a total of 9 lookups. However, the overwhelming majority 
>> of SPF validator tools (and I haven't even started researching 
>> receiver-side logic implementations of this yet) seem to implement 
>> this /skipping/ the MX query returned names as part of the lookup 
>> count, which leaves the lookup count for this domain at 6.
>>
>> ------------------------------------
>>
>> Second, addressing the second sentence of the second paragraph in 
>> 4.6.4 (which continues the context of the last above question): "/In 
>> addition to that limit, the evaluation of each "MX" record MUST NOT 
>> result in querying more than 10 address records -- either "A" or 
>> "AAAA" resource records./"
>>
>> There seems to be the same inconsistencies among SPF validator tools 
>> for this logic as well. Three tools, one being MXtoolbox, say this 
>> domain has "too many IP addresses returned from the MX query" (of 
>> which there are well over 10 total), which results in their 
>> evaluation returning "permerror".
>>
>> It seems some implementors have interpreted the "10 address records" 
>> phrase to mean "/the number of IP address records //resulting //from 
>> an MX name A/AAAA RR query/", rather than "/the total sum of the MX 
>> names themselves/", as would seem described by the section's 
>> language. Of my interpretation from this section's language, it would 
>> seem this domain should exceed neither the SPF lookup count, nor the 
>> MX A/AAAA query count.
>>
>> Which is the most accurate interpretation of this section?
>>
>> Thanks,
>>
>> - Mark Alley
>>
>>
>>
>>

v2.23.0 | Report a Bug | By Email