[spfbis] Result of record evaluation with non-implemented mechanism
Alessandro Vesely <vesely@tana.it> Tue, 12 January 2016 16:09 UTC
Return-Path: <vesely@tana.it>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A35751B2AEB for <spfbis@ietfa.amsl.com>; Tue, 12 Jan 2016 08:09:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.277
X-Spam-Level:
X-Spam-Status: No, score=0.277 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Y8irBNL3eKx for <spfbis@ietfa.amsl.com>; Tue, 12 Jan 2016 08:09:39 -0800 (PST)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85AA91B2ACE for <spfbis@ietf.org>; Tue, 12 Jan 2016 08:09:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=beta; t=1452614976; bh=w4vtGRVRrj72L92RKsSXqPJNCD8CEok4/+TiBQk5xXM=; l=1406; h=To:From:Date; b=GPgyyc5OXoXy7L3bJdmmicQGpheCGc02AIkuMFrL2w0w7iAgBf1dcy5u5RKHmw1Nb T4UpspeMOt7UTjIZ6VcjztMqaF/ERRba3iiNFwp6k/Bk/F1xeaHn0CmjUrgtNUCaim rTsUX8gFQ78Tqq+tSt69mOvDCKc4U+I4ysBZ2sNQ=
Authentication-Results: tana.it; auth=pass (details omitted)
Received: from [172.25.197.88] (pcale.tana [172.25.197.88]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k) by wmail.tana.it with ESMTPA; Tue, 12 Jan 2016 17:09:35 +0100 id 00000000005DC05C.000000005695253F.00001B1C
To: spfbis <spfbis@ietf.org>
From: Alessandro Vesely <vesely@tana.it>
Message-ID: <5695253F.6060702@tana.it>
Date: Tue, 12 Jan 2016 17:09:35 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.5.0
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/spfbis/YXU_emU7yx8-NSPqpBeo7_FuxR8>
Subject: [spfbis] Result of record evaluation with non-implemented mechanism
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jan 2016 16:09:40 -0000
Hi, RFC 7208 doesn't seem to be very clear on the requirements for "exists" mechanisms. I don't know if that deserves an errata. The spec defines mechanisms, but Section 4.6.4 "DNS Lookup Limits" does not mention "exists", while Section 5.7 "exists" does not mention return values. OTOH, dmarcian reports that "exists" mechanisms are not fully supported by all high-volume receivers. In fact, google.com returns permfail for the record in the first bullet of Appendix D.1, unless a match is found before "exists". According to Section 2.6.7 "Permerror", Google signal an error condition that definitely requires DNS operator intervention to be resolved. Tools which parse DMARC aggregate feedback correctly report an issue, to no avail :-O You see, SPF receivers are divided into two categories: those with a loaded check_host() function and those who never reject on fail. Google never reject on fail. Why do they return permerror, then? Wouldn't "none" be fine? 4.6.2. *Mechanisms* The second paragraph there may be a good point to pin an errata: OLD When a mechanism is evaluated, one of three things can happen: it can match, not match, or return an exception. NEW When a mechanism is evaluated, one of three things can happen: it can match, not match, or return an exception. Non-implemented mechanisms MUST NOT return an exception. Better ideas? Ale
- [spfbis] Result of record evaluation with non-imp… Alessandro Vesely
- Re: [spfbis] Result of record evaluation with non… Scott Kitterman
- Re: [spfbis] Result of record evaluation with non… S Moonesamy
- Re: [spfbis] Result of record evaluation with non… Tim Draegen
- Re: [spfbis] Result of record evaluation with non… Alessandro Vesely
- Re: [spfbis] Result of record evaluation with non… Alessandro Vesely