IETF Logo Mail Archive

Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lookup Count Inconsistencies

Mark Alley <mark.alley@tekmarc.com> Sun, 15 January 2023 17:23 UTC

Return-Path: <mark.alley@tekmarc.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6C3DC14CE29 for <spfbis@ietfa.amsl.com>; Sun, 15 Jan 2023 09:23:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=tekmarc.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uBGRiybiKEBt for <spfbis@ietfa.amsl.com>; Sun, 15 Jan 2023 09:23:50 -0800 (PST)
Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79281C14F74B for <spfbis@ietf.org>; Sun, 15 Jan 2023 09:23:50 -0800 (PST)
Received: by mail-qt1-x82e.google.com with SMTP id e8so2108937qts.1 for <spfbis@ietf.org>; Sun, 15 Jan 2023 09:23:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tekmarc.com; s=google; h=in-reply-to:subject:to:autocrypt:references:from:content-language :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=kFrRn6zpzsrNtx2sgajPkOxXBDuRJXJChNR3EtocL+Y=; b=dQJFP1y+tFP3Xudgced7JB+RicRE722uk6mwSYA1FQAvb7EqF50z7rw+4xEa1Ic8va 8MR6dYessvNZl2kWzNVcHbfOjt/GdLCbXbllyu8TQH1vccM3k3neMYzku3JJK4Y8OoZK 8WhKE7jJp1WJVAtBuPvHx/DHBux/GFS7WFgcl6d1vGF1mcLDJxL+tfahA4b+lAZQdjnj l3jMxtjVVxMpupaErr/ObyobXuqIjqemlZlILtGbqflNWHj04PgTIOEif0/OExbwvGDU nQYktunW9zo0BsYK11yExZfuMzus8A34ogzKGy4q60Jl1G63hAHLJYCm6RWidcvAZc2s 22JA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:subject:to:autocrypt:references:from:content-language :user-agent:mime-version:date:message-id:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=kFrRn6zpzsrNtx2sgajPkOxXBDuRJXJChNR3EtocL+Y=; b=sf+i0wBWxvUjKeVNmub2evBtpWX3hl0EmwA0gbj4MpG1ItKe/mPBRUq/rkW0IlW0nl 3EMqk2WDFO+dhoIRSFeUl4OUEwLXFg4eAY3MtVNCqplrgaGXrczl9tZxY7ywkV/s7KR9 N2w842yIsyIYpPpyKH+xk5LswFdE+nnyNbviDFqWP5EEjV+Hn/VU5WvNhRcY/fBKoQ8Z 9CHDu5WYl38sWInj/REjSPA6pRb2mEJ4oH0oWwSkACaRQ0bVfsLzPYM040WYVkykO/Ao OjZ12fevgApK1dcyESfyk3D+XvUiHUUDAyLvNdIfpPa2k3O48E429ggBF6G0rpbxXSIP Ll4A==
X-Gm-Message-State: AFqh2kpTVyh7mPPnBB0mHsJ9JIqS2Am6LQUG/ZbE0xRv/mBOrinLkdqZ uDtd2b4uBxWMEGvadonGIUwIHKfy2/fTL+M4sfg=
X-Google-Smtp-Source: AMrXdXtcAxcizsB2hRBJZqksxEwXOsAURoGw1J4PBNhKFGDumP4vvZ5TuLvHXc5Dak/7nBKHjQ8gMA==
X-Received: by 2002:ac8:5e06:0:b0:3ab:5bb4:ae6d with SMTP id h6-20020ac85e06000000b003ab5bb4ae6dmr156285711qtx.43.1673803428730; Sun, 15 Jan 2023 09:23:48 -0800 (PST)
Received: from [192.168.2.20] (162-238-103-217.lightspeed.brhmal.sbcglobal.net. [162.238.103.217]) by smtp.gmail.com with ESMTPSA id i4-20020a05620a404400b00704a2a40cf2sm16749369qko.38.2023.01.15.09.23.47 for <spfbis@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 15 Jan 2023 09:23:47 -0800 (PST)
Message-ID: <886d02b9-d5e9-5f91-70a9-2603764e5d6c@tekmarc.com>
Date: Sun, 15 Jan 2023 11:23:47 -0600
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.6.1
Content-Language: en-US
From: Mark Alley <mark.alley@tekmarc.com>
References: <79ac443e-b0ee-6598-cec0-9cf32c3dc1d1@tekmarc.com>
Autocrypt: addr=mark.alley@tekmarc.com; keydata= xsFNBGOqGVEBEAC4wlUuECSqCjZgjn2sFPxBDm1jN66t7kFm5KyjjHYBey1HTjrjJTmb3XQB /zbTSWZPN96HNA5j3EH/TGfN4SogIgFiLkznOHooMECdCdtr8ARE9EesWQmfB96Q5XGga3FW 4MuXzNOAcQHmN1evG/dMUrGGsa2bUUWfa70FM1eM8xNspkZGmvyPAvsEP39xnaMFoqYkvYBB At2IHadM1mgDd2vWCUF31K8CSwin8RIbMehfny99Jbee6toz4qdJGjKK6ZQG3iDrMqiAEAEb NxAvZ0LPLgBF5/NDw6DVkfVOyN3Cnu7QIo3o1g5NhfhabDHctuH3AlbUsoW0lewNEbbok6Rp 9uktfiTZImvLMoMFOf30GrrViCwCOa51A/LIP68QWSTR/fEBatMD+KbaKJekTW47+7TfLfat hVLCq3wA3s5mVyJBLk0Vsv9aFgDMQJvqU7auOC3mLubwYbO9CVtd24JibeayMl7PGeNf7g2k PUHAR+6vZosFJCDZc1gOeQiZr8N7ZFPopsBmY28tzI3ejGohxcmJw+8NNt2leTgNvLtMZw+J jV8yHETIUdJvQmj5ed3uvoVZo4jLhU/sp2xO7LajsxtWpUMLcfbLAYDsL0E/bMIZsfyiRew3 JVOLpuAoc9yjkFbdfVyCxSERcc/IPX6C2bgwio7fuevNWhPqNwARAQABzSNNYXJrIEFsbGV5 IDxtYXJrLmFsbGV5QHRla21hcmMuY29tPsLBhwQTAQgAMRYhBHSDfsuM4bG2uOcUm+N6I8TQ TwQJBQJjqhlYAhsDBAsJCAcFFQgJCgsFFgIDAQAACgkQ43ojxNBPBAnW/g/+J9vwKOHRIOwS FW804/SwlgE308OJmKiJuTJV7MKWw5zRZ7Ct9dO6W2Rzl8eQOHtUk1tTfsWHdSvjvW2k5C2F IK6twVOgjPnkbVra+jktVE7tdBJPy9FXWHmlbU+UjNr3VGX+qktBbWu2WKRwjLg9NaZhXQBH LRLHGGkj/VXVvAsqWh6G+UJbXnz+RwMv77JKrpOlx1vD2AOlXPRLb7ZgBWc2hn+gtAxX3Jmb TTnJMV3tTvIR82M0m/c/4vEj6IV3egRuNmgRHEEeRJi3VYGOF6UTA4mZaeNKLzF35bM0shHS KzS9scGWKnbYKfmITeJViw5pCk0nkYMXRjRrX5i2XebltBO06yLBqeq0xxn7vjVD+WA6mfEv 4AxoUYNP9sDuTwulccujHjOwo+832cfN1d0HYkpWzOBRvvksiekaMQrxt25dpvTjJmwh8GHc Cs1tD1Oqj03TKv9uJ6ANFBOBKWk3tpNp498BTBRr8ZqCyz3zL/3nZRBtM3aKx3vSGTKXgvy2 c5lTPe/ksmRjC+gndDSwSNLFnL7lGOobdAX5MqfjlJiONlAq180zDDVBMzVzdZwnCFU4yWdU A1x1HFSW35wuLEFdYp3tsTTUGrUARe1b4gQsGWlP5I39XVuW61nNI/uyAauFcx+2LID1Yjkq 60FGqL0rlxURpOe6jyEOk+vOwU0EY6oZWQEQALk2rfhVplWFecVk7RgX2F7S/FRwK99hKRf/ CNCvkG0UXBUq9H6p6I0AJNb4bxrEy8iJuffSWlSAC07Ofg3UA8UWKgzxmqeERaN4UO1NJAoU 1DWxDoBaeqiEC7/7yJc0aLhxvm5OwNQykZwVdJ/xgFQ3VBkJn+P1KZ7UTXaAg7gvAWh4znPY CDzvWkvGGbJcJzY5+QZQYjVEP1ZDqsCZymLU4KKI5DfA+jYggPR+/hWwadZ3KMGVOd7CzvSZ KP3bhA6FyR+szzRh+xH/MJyVZl1KrASz62ZZ7TmcNfLWSnQqZq736fVm6bdVOHMwlFq2ndGi 1TABqX2Bzvbkq3EMw/fIWeyK/vSw2433XtUF3qo/WYPUPdBJAO3wWTTxCeLcguFSJRMX2Myc vAT/pXdIo0/AFOLzQzBAOJWNPkUG7NcYMZlMBCzJaxvCgw/hQym/YUA6oG3k45X55JeCSV8j uRL4RAedvvc5dxdOPOpmou41IjyYqX0rKUSFDnyWh1gvYvSxcEHS6V4zoHBhBjf6oh6unLx6 DLAMuT4yl/8Kc7zVvSJMsB0onXo5Ag1pjEJ6NDTZMf1UXLjVc4CG1nSmQnVwsjB6RU9zD9Di 1P12TRUpUUw7NkM5kbPUZpONLdRQN79MiPIatUyGawIYROMtbGAM3qlLMtGV5eNykiw+Xl/h ABEBAAHCwXYEGAEIACAWIQR0g37LjOGxtrjnFJvjeiPE0E8ECQUCY6oZXwIbDAAKCRDjeiPE 0E8ECWEgD/9BSRPBYtbeU7hQj/7LScdWVngzSvLpGXRPCfTNRTAEEjitVHnJ99XHnAib6y0p 1e/0Gtm9m2n3/zGNA4w/tEf9FRWdlL+3GMlY963XWW5RjKxABF0GuKUENNM9MZ0f+wvyhyEW DJ8ep+3eqgaW4/wssbad1Eww26gYIKnBThNnVNvDYZztzAYHk3ayoD3ewPzbDyaosCBTE0fh voMyrcYN74oHdHx6o2irX22TiZ0+D/PQ+33oS9/sirPuw6Li+ED5A/81h7/CuT6gLDHKkuW/ 6mRAoTdOOV6c8c6V95NoNSAioIFFPqKZYIfX03IqqRst+HuOKOavERFmeoXANTDNRNR7/1rt vW8J9tarMH5N9VMewM9ktju2iuAs8nzuDhpctmGNdf7s4CWsoAlHuTleECEMBWHkHyIt5VjI XhtOJUl0BRmzkxKb6vJS5J8w/co61Ovq6ya3RsqsBEqc/szR8kX2m6n2nOPJmqTsHUe+XXMq +M9CZVlOrXkDoVCCbs6P8QuhNDcWqOkGYXIsDGQavclPaHwwsvf8Z3Wu73kQcMWdzmr8W7A4 hlVr9qLSLxJCn9ZLz84Fon4nPlGrfBQpKtB5gvyTCw6Kq5ca7FMtVkeiIn2HI+6Um8ytK1K7 N008Qxh74D6PI7S7gJt1SzBmAcQOL8omJng61C5B1fUncg==
To: spfbis@ietf.org
In-Reply-To: <79ac443e-b0ee-6598-cec0-9cf32c3dc1d1@tekmarc.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------si3Eut7hp3PdhCLTTV0KtRRW"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/PDlwWnsfpmAeK1KJgo6M01rNVwg>
Subject: Re: [spfbis] RFC7208 4.6.4 Interpretation - MX Lookup Count Inconsistencies
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Jan 2023 17:23:54 -0000

I did some experimenting with several receivers to determine major 
consumer ESPs/filters interpretations of the MX lookup section I brought 
up before. Below are the various potential interpretation results 
(including incorrect ones).

It appears that most receivers do not implement this particular section 
at all for an unknown reason. So far, of the filters I've tested/had 
access to, Proofpoint and SpamAssassin both interpret the second section 
of the MX lookups as expected (Permerror on >10 MX name A records), but 
*no* ESP I have tested with appears to include the MX RRs to the SPF 
record DNS lookup count as one would expect per the existing language.

Perhaps is there a valid reason there seems to be this many 
inconsistencies with this particular section's implementation?


*SpamAssassin:*
Permerror on 10 IP addresses total across all MX name records (sum) - No
Permerror on 10 IP addresses per MX name A record result - No
Permerror on >10 MX name A records - *Yes*
Permerror on 9 MX name records and 2 or more additional DNS term lookups 
- No

*Proofpoint:*
Permerror on 10 IP addresses total across all MX name records (sum) - No
Permerror on 10 IP addresses per MX name A record result - No
Permerror on >10 MX name A records - *Yes*
Permerror on 9 MX name records and 2 or more additional DNS term lookups 
- No

*Google:*
Permerror on 10 IP addresses total across all MX name records (sum) - No
Permerror on 10 IP addresses per MX name A record result - No
Permerror on >10 MX name A records - No
Permerror on 9 MX name records and 2 or more additional DNS term lookups 
- No

*Exchange Online:*
Permerror on 10 IP addresses total across all MX name records (sum) - No
Permerror on 10 IP addresses per MX name A record result - No
Permerror on >10 MX name A records - No
Permerror on 9 MX name records and 2 or more additional DNS term lookups 
- No

*Outlook:*
Permerror on 10 IP addresses total across all MX name records (sum) - No
Permerror on 10 IP addresses per MX name A record result - No
Permerror on >10 MX name A records - No
Permerror on 9 MX name records and 2 or more additional DNS term lookups 
- No

*Yahoo:*
Permerror on 10 IP addresses total across all MX name records (sum) - No
Permerror on 10 IP addresses per MX name A record result - No
Permerror on >10 MX name A records - No
Permerror on 9 MX name records and 2 or more additional DNS term lookups 
- No

*Zohomail: *
Permerror on 10 IP addresses total across all MX name records (sum) - No
Permerror on 10 IP addresses per MX name A record result - No
Permerror on >10 MX name A records - No
Permerror on 9 MX name records and 2 or more additional DNS term lookups 
- No

*Fastmail:*
Permerror on 10 IP addresses total across all MX name name records (sum) 
- No
Permerror on 10 IP addresses per MX name A record result - No
Permerror on >10 MX name A records - No
Permerror on 9 MX name records and 2 or more additional DNS term lookups 
- No

*AOL:*
Permerror on 10 IP addresses sum total across all MX name records - No
Permerror on 10 IP addresses per MX name A record result - No
Permerror on >10 MX name A records - No
Permerror on 9 MX name records and 2 or more additional DNS term lookups 
- No


- Mark Alley

On 1/13/2023 2:09 PM, Mark Alley wrote:
>
> Hi all, I have two questions about section 4.6.4 regarding "mx" 
> mechanism DNS lookup counts during SPF evaluation that I would like 
> some guidance on. I haven't been able to find anything regarding this 
> topic specifically in the ML archive aside from one niche topic 
> relating to the MX AAAA ipv6 queries counting as void lookups.
>
> ------------------------------------
>
> First, checking logic implementations of the "mx" mechanism DNS lookup 
> count of various SPF validator tools compared to the logic described 
> in section 4.6.4, I discovered implementation inconsistencies that 
> have led me to question what the "correct" logic is for counting MX 
> lookups in an SPF record. There are 12 SPF validators on the internet 
> that seem to skip over this during lookup counting (many from 
> well-established vendors), and only 3 that do not.
>
> So, given this, based on the below information, which is the correct 
> counting interpretation?
>
> There is a domain - katrinafox.com - which has an SPF record that 
> looks like this:
>
> /v=spf1 +a +mx +ip4:35.213.205.66 include:_spf.mailspamprotection.com 
> ~all/
>
> Breaking down DNS lookups manually, we get this:
>
> 1 - "a" mechanism
>
> 4 - "mx" mechanism (1 initial MX record lookup, +3 A/AAAA MX names 
> returned)
>
> 4 - "include" mechanism (1 initial include lookup, +3 recursive includes)
>
> Per the first paragraph of section 4.6.4, it reads as such: "/When 
> evaluating the "mx" mechanism, the number of "MX" resource//records 
> queried is included in the overall limit of 10 mechanisms///modifiers 
> that cause DNS lookups as described above."/
>
> My interpretation is that the language is clear; the MX names (A/AAAA 
> RRs) returned by the MX query are counted against the overall 10 
> lookup count of the evaluated SPF record. Leaving this domain's SPF 
> record with a total of 9 lookups. However, the overwhelming majority 
> of SPF validator tools (and I haven't even started researching 
> receiver-side logic implementations of this yet) seem to implement 
> this /skipping/ the MX query returned names as part of the lookup 
> count, which leaves the lookup count for this domain at 6.
>
> ------------------------------------
>
> Second, addressing the second sentence of the second paragraph in 
> 4.6.4 (which continues the context of the last above question): "/In 
> addition to that limit, the evaluation of each "MX" record MUST NOT 
> result in querying more than 10 address records -- either "A" or 
> "AAAA" resource records./"
>
> There seems to be the same inconsistencies among SPF validator tools 
> for this logic as well. Three tools, one being MXtoolbox, say this 
> domain has "too many IP addresses returned from the MX query" (of 
> which there are well over 10 total), which results in their evaluation 
> returning "permerror".
>
> It seems some implementors have interpreted the "10 address records" 
> phrase to mean "/the number of IP address records //resulting //from 
> an MX name A/AAAA RR query/", rather than "/the total sum of the MX 
> names themselves/", as would seem described by the section's language. 
> Of my interpretation from this section's language, it would seem this 
> domain should exceed neither the SPF lookup count, nor the MX A/AAAA 
> query count.
>
> Which is the most accurate interpretation of this section?
>
> Thanks,
>
> - Mark Alley
>
>
>
>

v2.23.0 | Report a Bug | By Email