Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lookup Count Inconsistencies
Mark Alley <mark.alley@tekmarc.com> Sun, 15 January 2023 17:31 UTC
Return-Path: <mark.alley@tekmarc.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7DD6C14CE29 for <spfbis@ietfa.amsl.com>; Sun, 15 Jan 2023 09:31:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=tekmarc.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d08qRD0WwVYY for <spfbis@ietfa.amsl.com>; Sun, 15 Jan 2023 09:31:28 -0800 (PST)
Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9E15C14F74B for <spfbis@ietf.org>; Sun, 15 Jan 2023 09:31:28 -0800 (PST)
Received: by mail-qt1-x82b.google.com with SMTP id g9so8396002qtu.2 for <spfbis@ietf.org>; Sun, 15 Jan 2023 09:31:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tekmarc.com; s=google; h=in-reply-to:autocrypt:references:to:from:content-language:subject :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=eeMiB6JOWSZeitzVd+TrkKXryrvdHDNZzAieLpwYCzI=; b=dACVoCHtCl0p6WlV6ewjQUPAIw4VRZR/LVdvFnub7+InCGgS08caOLtMAAByyt/1bI TVY7hq3YYSB0BPvUcX0ksVqJ8R9Hymw6L9ZhiMjzOj40wyKskiIKsNPx45pjYzpAfFA5 JruVDPbpxNNXxMx2QTH3KVlMTHTNPvuAPW5AkmsU0loD6ACq6TVComTIi5je12hZuCgX qFosSr/A7YpNOwejfZ/XsFCa8I0JXcIpG8cVXinGRDJemMno5GR7CKrgQt6JqExF1u6i z4IrJUZa647nltTyYz8+Og6v9vMlcaeBGUqJNneNGxGkDWjkhONmpby1T0RQPgQnTPvy wA3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:autocrypt:references:to:from:content-language:subject :user-agent:mime-version:date:message-id:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=eeMiB6JOWSZeitzVd+TrkKXryrvdHDNZzAieLpwYCzI=; b=JPAO04Rc5dtrrmTYTMh+78ywbU+8AC9ILiaIAm8LSuqMYYLCnIXMFf2e2IwXtVZmk4 gtIPzBpnkAffgH08pcQsBkiIDN+0CKUbJw/eAQOZZpnAnvyfrWoUZqA3QT2WXuD/tlkn ZK+v2AgYEvinXe0Y7tL/eduOwdoz6RjlVL1HK4tOBdwejGXrzxxLwal7zpY9mp0lccWB MnEg4dDZRm18+FDPeTCRRzGkmVjTwqcA/7L/uDpdfQYy2oVoTbanb/D1iMyd/5hONI3A RoX6HYNMupFYS7uKYQgAA59z12vSwxgOYG2l7rR8Q1nKx38yIIh49TCOmnE3mwMrgri3 piDQ==
X-Gm-Message-State: AFqh2ko0FMFAmm5o4tHdGRFhjSVphhE6tSBQCgPwJo0UTpZMTlN0kIrp GiQkROa+jlCZzobAcuAQ/1GLM87gL1URfCJaVOw=
X-Google-Smtp-Source: AMrXdXs2oPLcQDevr+9StPSa7qU41mbWHe92Ovewg445wRkLQlrK5ZCdbzyyzRZfCtJj/eCd9QIBNw==
X-Received: by 2002:ac8:4685:0:b0:3b6:2c10:a3e1 with SMTP id g5-20020ac84685000000b003b62c10a3e1mr5938865qto.57.1673803887100; Sun, 15 Jan 2023 09:31:27 -0800 (PST)
Received: from [192.168.2.20] (162-238-103-217.lightspeed.brhmal.sbcglobal.net. [162.238.103.217]) by smtp.gmail.com with ESMTPSA id y10-20020a05620a25ca00b006fa4cac54a5sm16615363qko.72.2023.01.15.09.31.26 for <spfbis@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 15 Jan 2023 09:31:26 -0800 (PST)
Message-ID: <557a8265-d9df-0aa7-a03f-7785cd2194d6@tekmarc.com>
Date: Sun, 15 Jan 2023 11:31:25 -0600
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.6.1
Content-Language: en-US
From: Mark Alley <mark.alley@tekmarc.com>
To: spfbis@ietf.org
References: <79ac443e-b0ee-6598-cec0-9cf32c3dc1d1@tekmarc.com> <886d02b9-d5e9-5f91-70a9-2603764e5d6c@tekmarc.com>
Autocrypt: addr=mark.alley@tekmarc.com; keydata= xsFNBGOqGVEBEAC4wlUuECSqCjZgjn2sFPxBDm1jN66t7kFm5KyjjHYBey1HTjrjJTmb3XQB /zbTSWZPN96HNA5j3EH/TGfN4SogIgFiLkznOHooMECdCdtr8ARE9EesWQmfB96Q5XGga3FW 4MuXzNOAcQHmN1evG/dMUrGGsa2bUUWfa70FM1eM8xNspkZGmvyPAvsEP39xnaMFoqYkvYBB At2IHadM1mgDd2vWCUF31K8CSwin8RIbMehfny99Jbee6toz4qdJGjKK6ZQG3iDrMqiAEAEb NxAvZ0LPLgBF5/NDw6DVkfVOyN3Cnu7QIo3o1g5NhfhabDHctuH3AlbUsoW0lewNEbbok6Rp 9uktfiTZImvLMoMFOf30GrrViCwCOa51A/LIP68QWSTR/fEBatMD+KbaKJekTW47+7TfLfat hVLCq3wA3s5mVyJBLk0Vsv9aFgDMQJvqU7auOC3mLubwYbO9CVtd24JibeayMl7PGeNf7g2k PUHAR+6vZosFJCDZc1gOeQiZr8N7ZFPopsBmY28tzI3ejGohxcmJw+8NNt2leTgNvLtMZw+J jV8yHETIUdJvQmj5ed3uvoVZo4jLhU/sp2xO7LajsxtWpUMLcfbLAYDsL0E/bMIZsfyiRew3 JVOLpuAoc9yjkFbdfVyCxSERcc/IPX6C2bgwio7fuevNWhPqNwARAQABzSNNYXJrIEFsbGV5 IDxtYXJrLmFsbGV5QHRla21hcmMuY29tPsLBhwQTAQgAMRYhBHSDfsuM4bG2uOcUm+N6I8TQ TwQJBQJjqhlYAhsDBAsJCAcFFQgJCgsFFgIDAQAACgkQ43ojxNBPBAnW/g/+J9vwKOHRIOwS FW804/SwlgE308OJmKiJuTJV7MKWw5zRZ7Ct9dO6W2Rzl8eQOHtUk1tTfsWHdSvjvW2k5C2F IK6twVOgjPnkbVra+jktVE7tdBJPy9FXWHmlbU+UjNr3VGX+qktBbWu2WKRwjLg9NaZhXQBH LRLHGGkj/VXVvAsqWh6G+UJbXnz+RwMv77JKrpOlx1vD2AOlXPRLb7ZgBWc2hn+gtAxX3Jmb TTnJMV3tTvIR82M0m/c/4vEj6IV3egRuNmgRHEEeRJi3VYGOF6UTA4mZaeNKLzF35bM0shHS KzS9scGWKnbYKfmITeJViw5pCk0nkYMXRjRrX5i2XebltBO06yLBqeq0xxn7vjVD+WA6mfEv 4AxoUYNP9sDuTwulccujHjOwo+832cfN1d0HYkpWzOBRvvksiekaMQrxt25dpvTjJmwh8GHc Cs1tD1Oqj03TKv9uJ6ANFBOBKWk3tpNp498BTBRr8ZqCyz3zL/3nZRBtM3aKx3vSGTKXgvy2 c5lTPe/ksmRjC+gndDSwSNLFnL7lGOobdAX5MqfjlJiONlAq180zDDVBMzVzdZwnCFU4yWdU A1x1HFSW35wuLEFdYp3tsTTUGrUARe1b4gQsGWlP5I39XVuW61nNI/uyAauFcx+2LID1Yjkq 60FGqL0rlxURpOe6jyEOk+vOwU0EY6oZWQEQALk2rfhVplWFecVk7RgX2F7S/FRwK99hKRf/ CNCvkG0UXBUq9H6p6I0AJNb4bxrEy8iJuffSWlSAC07Ofg3UA8UWKgzxmqeERaN4UO1NJAoU 1DWxDoBaeqiEC7/7yJc0aLhxvm5OwNQykZwVdJ/xgFQ3VBkJn+P1KZ7UTXaAg7gvAWh4znPY CDzvWkvGGbJcJzY5+QZQYjVEP1ZDqsCZymLU4KKI5DfA+jYggPR+/hWwadZ3KMGVOd7CzvSZ KP3bhA6FyR+szzRh+xH/MJyVZl1KrASz62ZZ7TmcNfLWSnQqZq736fVm6bdVOHMwlFq2ndGi 1TABqX2Bzvbkq3EMw/fIWeyK/vSw2433XtUF3qo/WYPUPdBJAO3wWTTxCeLcguFSJRMX2Myc vAT/pXdIo0/AFOLzQzBAOJWNPkUG7NcYMZlMBCzJaxvCgw/hQym/YUA6oG3k45X55JeCSV8j uRL4RAedvvc5dxdOPOpmou41IjyYqX0rKUSFDnyWh1gvYvSxcEHS6V4zoHBhBjf6oh6unLx6 DLAMuT4yl/8Kc7zVvSJMsB0onXo5Ag1pjEJ6NDTZMf1UXLjVc4CG1nSmQnVwsjB6RU9zD9Di 1P12TRUpUUw7NkM5kbPUZpONLdRQN79MiPIatUyGawIYROMtbGAM3qlLMtGV5eNykiw+Xl/h ABEBAAHCwXYEGAEIACAWIQR0g37LjOGxtrjnFJvjeiPE0E8ECQUCY6oZXwIbDAAKCRDjeiPE 0E8ECWEgD/9BSRPBYtbeU7hQj/7LScdWVngzSvLpGXRPCfTNRTAEEjitVHnJ99XHnAib6y0p 1e/0Gtm9m2n3/zGNA4w/tEf9FRWdlL+3GMlY963XWW5RjKxABF0GuKUENNM9MZ0f+wvyhyEW DJ8ep+3eqgaW4/wssbad1Eww26gYIKnBThNnVNvDYZztzAYHk3ayoD3ewPzbDyaosCBTE0fh voMyrcYN74oHdHx6o2irX22TiZ0+D/PQ+33oS9/sirPuw6Li+ED5A/81h7/CuT6gLDHKkuW/ 6mRAoTdOOV6c8c6V95NoNSAioIFFPqKZYIfX03IqqRst+HuOKOavERFmeoXANTDNRNR7/1rt vW8J9tarMH5N9VMewM9ktju2iuAs8nzuDhpctmGNdf7s4CWsoAlHuTleECEMBWHkHyIt5VjI XhtOJUl0BRmzkxKb6vJS5J8w/co61Ovq6ya3RsqsBEqc/szR8kX2m6n2nOPJmqTsHUe+XXMq +M9CZVlOrXkDoVCCbs6P8QuhNDcWqOkGYXIsDGQavclPaHwwsvf8Z3Wu73kQcMWdzmr8W7A4 hlVr9qLSLxJCn9ZLz84Fon4nPlGrfBQpKtB5gvyTCw6Kq5ca7FMtVkeiIn2HI+6Um8ytK1K7 N008Qxh74D6PI7S7gJt1SzBmAcQOL8omJng61C5B1fUncg==
In-Reply-To: <886d02b9-d5e9-5f91-70a9-2603764e5d6c@tekmarc.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------rAkwSlWagATi2wXE3t27c95p"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/K_z1H8WBYYrcypQrXsYLYYmNzOQ>
Subject: Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lookup Count Inconsistencies
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Jan 2023 17:31:33 -0000
Apologies - clarifying missed typos, results should reflect the below. Permerror on >10 IP addresses total across all MX name records (sum) - No Permerror on >10 IP addresses per MX name A record result - No On 1/15/2023 11:23 AM, Mark Alley wrote: > > I did some experimenting with several receivers to determine major > consumer ESPs/filters interpretations of the MX lookup section I > brought up before. Below are the various potential interpretation > results (including incorrect ones). > > It appears that most receivers do not implement this particular > section at all for an unknown reason. So far, of the filters I've > tested/had access to, Proofpoint and SpamAssassin both interpret the > second section of the MX lookups as expected (Permerror on >10 MX name > A records), but *no* ESP I have tested with appears to include the MX > RRs to the SPF record DNS lookup count as one would expect per the > existing language. > > Perhaps is there a valid reason there seems to be this many > inconsistencies with this particular section's implementation? > > > *SpamAssassin:* > Permerror on 10 IP addresses total across all MX name records (sum) - No > Permerror on 10 IP addresses per MX name A record result - No > Permerror on >10 MX name A records - *Yes* > Permerror on 9 MX name records and 2 or more additional DNS term > lookups - No > > *Proofpoint:* > Permerror on 10 IP addresses total across all MX name records (sum) - No > Permerror on 10 IP addresses per MX name A record result - No > Permerror on >10 MX name A records - *Yes* > Permerror on 9 MX name records and 2 or more additional DNS term > lookups - No > > *Google:* > Permerror on 10 IP addresses total across all MX name records (sum) - No > Permerror on 10 IP addresses per MX name A record result - No > Permerror on >10 MX name A records - No > Permerror on 9 MX name records and 2 or more additional DNS term > lookups - No > > *Exchange Online:* > Permerror on 10 IP addresses total across all MX name records (sum) - No > Permerror on 10 IP addresses per MX name A record result - No > Permerror on >10 MX name A records - No > Permerror on 9 MX name records and 2 or more additional DNS term > lookups - No > > *Outlook:* > Permerror on 10 IP addresses total across all MX name records (sum) - No > Permerror on 10 IP addresses per MX name A record result - No > Permerror on >10 MX name A records - No > Permerror on 9 MX name records and 2 or more additional DNS term > lookups - No > > *Yahoo:* > Permerror on 10 IP addresses total across all MX name records (sum) - No > Permerror on 10 IP addresses per MX name A record result - No > Permerror on >10 MX name A records - No > Permerror on 9 MX name records and 2 or more additional DNS term > lookups - No > > *Zohomail: * > Permerror on 10 IP addresses total across all MX name records (sum) - No > Permerror on 10 IP addresses per MX name A record result - No > Permerror on >10 MX name A records - No > Permerror on 9 MX name records and 2 or more additional DNS term > lookups - No > > *Fastmail:* > Permerror on 10 IP addresses total across all MX name name records > (sum) - No > Permerror on 10 IP addresses per MX name A record result - No > Permerror on >10 MX name A records - No > Permerror on 9 MX name records and 2 or more additional DNS term > lookups - No > > *AOL:* > Permerror on 10 IP addresses sum total across all MX name records - No > Permerror on 10 IP addresses per MX name A record result - No > Permerror on >10 MX name A records - No > Permerror on 9 MX name records and 2 or more additional DNS term > lookups - No > > > - Mark Alley > > On 1/13/2023 2:09 PM, Mark Alley wrote: >> >> Hi all, I have two questions about section 4.6.4 regarding "mx" >> mechanism DNS lookup counts during SPF evaluation that I would like >> some guidance on. I haven't been able to find anything regarding this >> topic specifically in the ML archive aside from one niche topic >> relating to the MX AAAA ipv6 queries counting as void lookups. >> >> ------------------------------------ >> >> First, checking logic implementations of the "mx" mechanism DNS >> lookup count of various SPF validator tools compared to the logic >> described in section 4.6.4, I discovered implementation >> inconsistencies that have led me to question what the "correct" logic >> is for counting MX lookups in an SPF record. There are 12 SPF >> validators on the internet that seem to skip over this during lookup >> counting (many from well-established vendors), and only 3 that do not. >> >> So, given this, based on the below information, which is the correct >> counting interpretation? >> >> There is a domain - katrinafox.com - which has an SPF record that >> looks like this: >> >> /v=spf1 +a +mx +ip4:35.213.205.66 include:_spf.mailspamprotection.com >> ~all/ >> >> Breaking down DNS lookups manually, we get this: >> >> 1 - "a" mechanism >> >> 4 - "mx" mechanism (1 initial MX record lookup, +3 A/AAAA MX names >> returned) >> >> 4 - "include" mechanism (1 initial include lookup, +3 recursive includes) >> >> Per the first paragraph of section 4.6.4, it reads as such: "/When >> evaluating the "mx" mechanism, the number of "MX" resource//records >> queried is included in the overall limit of 10 mechanisms///modifiers >> that cause DNS lookups as described above."/ >> >> My interpretation is that the language is clear; the MX names (A/AAAA >> RRs) returned by the MX query are counted against the overall 10 >> lookup count of the evaluated SPF record. Leaving this domain's SPF >> record with a total of 9 lookups. However, the overwhelming majority >> of SPF validator tools (and I haven't even started researching >> receiver-side logic implementations of this yet) seem to implement >> this /skipping/ the MX query returned names as part of the lookup >> count, which leaves the lookup count for this domain at 6. >> >> ------------------------------------ >> >> Second, addressing the second sentence of the second paragraph in >> 4.6.4 (which continues the context of the last above question): "/In >> addition to that limit, the evaluation of each "MX" record MUST NOT >> result in querying more than 10 address records -- either "A" or >> "AAAA" resource records./" >> >> There seems to be the same inconsistencies among SPF validator tools >> for this logic as well. Three tools, one being MXtoolbox, say this >> domain has "too many IP addresses returned from the MX query" (of >> which there are well over 10 total), which results in their >> evaluation returning "permerror". >> >> It seems some implementors have interpreted the "10 address records" >> phrase to mean "/the number of IP address records //resulting //from >> an MX name A/AAAA RR query/", rather than "/the total sum of the MX >> names themselves/", as would seem described by the section's >> language. Of my interpretation from this section's language, it would >> seem this domain should exceed neither the SPF lookup count, nor the >> MX A/AAAA query count. >> >> Which is the most accurate interpretation of this section? >> >> Thanks, >> >> - Mark Alley >> >> >> >>
- [spfbis] RFC7208 4.6.4 Interpretation - MX Lookup… Mark Alley
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Mark Alley
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Mark Alley
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Scott Kitterman
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Mark Alley
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Jan Schaumann
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Jan Schaumann
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Scott Kitterman
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Jan Schaumann
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Scott Kitterman
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Tim Wicinski
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… John Levine
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Tim Wicinski
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Jan Schaumann
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… william
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… John R Levine
- Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lo… Klaus Frank