Re: [spfbis] SPF-checking tool

Stuart D Gathman <stuart@gathman.org> Thu, 27 February 2020 19:52 UTC

Return-Path: <SRS0=cpUQ2=4P==stuart@gathman.org>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 362183A0A8C for <spfbis@ietfa.amsl.com>; Thu, 27 Feb 2020 11:52:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=gathman.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2CCmyBjJSRWW for <spfbis@ietfa.amsl.com>; Thu, 27 Feb 2020 11:52:44 -0800 (PST)
Received: from mail.gathman.org (mail.gathman.org [IPv6:2001:470:8:809::1010]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8612D3A0A93 for <spfbis@ietf.org>; Thu, 27 Feb 2020 11:52:44 -0800 (PST)
Authentication-Results: mail.gathman.org; iprev=pass policy.iprev="2001:470:8:809::1010" (wiki.gathman.org); auth=pass (CRAM-MD5 sslbits=256) smtp.auth=stuart
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gathman.org; i=@gathman.org; q=dns/txt; s=default; t=1582833162; h=date : from : to : cc : subject : in-reply-to : message-id : references : mime-version : content-type : date : from : subject; bh=svicQ/Np4FOSqZqL1tRebRzGAbEcExNoIvfwQxPi8u8=; b=ModHEEosA8sP83L5MsAtsXnrHRxwAR7qwwgME0P5unxzxYHldXaijkWB sC3WRm12OmAyMLpWi6elelYVuGDlvJc9g2TI8/aqyn9ct09EEEGeHaX0k/ ds7rpAjQ2TsnUfl8lSZg8jXTWAdsIwrt9k9LUgo54GeKInvbel02jDAJc=
Received: from mail.gathman.org (wiki.gathman.org [IPv6:2001:470:8:809::1010]) (authenticated bits=0) by mail.gathman.org (8.14.7/8.14.7) with ESMTP id 01RJqcWv005632 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 27 Feb 2020 14:52:41 -0500
Date: Thu, 27 Feb 2020 14:52:38 -0500 (EST)
From: Stuart D Gathman <stuart@gathman.org>
To: Frank Bulk <frnkblk@iname.com>
cc: spfbis@ietf.org, "'Scott Kitterman'" <sklist@kitterman.com>
In-Reply-To: <000001d5ed86$6e0b90f0$4a22b2d0$@iname.com>
Message-ID: <alpine.LRH.2.21.2002271430460.5527@mail.gathman.org>
References: <000001d5ecb6$106efd90$314cf8b0$@iname.com> <alpine.LRH.2.21.2002270235340.2087@mail.gathman.org> <000001d5ed86$6e0b90f0$4a22b2d0$@iname.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/_b3Pg4veLxtsRIpU2UWxJ186asQ>
Subject: Re: [spfbis] SPF-checking tool
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Feb 2020 19:52:48 -0000


On Thu, 27 Feb 2020, Frank Bulk wrote:

> Perhaps I'm using an old version of that Python script, but here are some
> examples.  My best guess is that the python script stops as soon as it
> passes the check, but doesn't evaluate the whole record.
>
>
> deerequipment.com: Dmarcian notes "The target name for
> "include:spf.protection.outlook.com" equals an already evaluated "include"
> mechanism / "redirect" modifier."

That is not an error.  That is more of a "lint" feature.

> visionnetusa.com: Dmarcian notes "Multiple SPF records found for
> "visionnetusa.com". There should only be one."

$ python spf.py visionnetusa.com
PermError:  Two or more type TXT spf records found.

> ghekkonetworks.com: Dmarcian notes "Multiple SPF records found for
> "ghekkonetworks.com". There should only be one."

$ python spf.py ghekkonetworks.com
PermError:  Two or more type TXT spf records found.

>
> billtrust.com: Dmarcian notes " A DMARC record was detected under
> "billtrust.com". DMARC records must be located at "_dmarc.billtrust.com",
> and not directly at "billtrust.com". If DMARC was set up as a wildcard
> record, that should be removed and placed only at the domain level."

SPF doesn't do DMARC.

> zayo.com: Dmarcian notes "12 DNS lookups required to evaluate the SPF
> record. The maximum is 10."

$ python spf.py 1.2.3.4 root@zayo.com zayo.com
result: ('permerror', 550, 'SPF Permanent Error: Too many DNS lookups')
None

Granted, the description should include the count.  Fixing now...

> tivo.com: Dmarcian notes:
> 	Error! 30 DNS lookups required to evaluate the SPF record. The
> maximum is 10.
> 	Error! SPF record is present, but invalid.
> root@nagios:/usr/local/bin/spfcheck# /usr/bin/python spf.py "v=spf1
> include:_spf.tivo.com mx include:authsmtp.com include:stspg-customer.com
> include:spf.protection.outlook.com include:aspmx.pardot.com
> include:_spf.centercode.com ~all" 204.176.49.0 postmaster@tivo.com
> mail.tivo.com
> result: ('pass', 250, 'sender SPF authorized') include:_spf.tivo.com
> root@nagios:/usr/local/bin/spfcheck#

Here's one Dmarc missed in the horribly perverted tivo.com policy (the 
sheer size of the trace should make tivo immediately erase their policy
and start over).

$ python spf.py -v 1.2.3.4 root@tivo.com tivo.com
result= ('tivo.com', 'TXT')
['RqJZ70Pn6J6AZTMjXGsp7DlGJ33V/G8i8mDWYfTLXWqRkvOqwFsSqQsX3QuDUNvjFaB9Tttla3hcOixOuVcdQw==']
addcache= ('tivo.com', 'TXT')
['RqJZ70Pn6J6AZTMjXGsp7DlGJ33V/G8i8mDWYfTLXWqRkvOqwFsSqQsX3QuDUNvjFaB9Tttla3hcOixOuVcdQw==']
result= ('tivo.com', 'TXT')
['status-page-domain-verification=fq5jzb9dvx37']
addcache= ('tivo.com', 'TXT')
['status-page-domain-verification=fq5jzb9dvx37']
result= ('tivo.com', 'TXT') ['v=spf1 include:_spf.tivo.com mx
include:authsmtp.com include:stspg-customer.com
include:spf.protection.outlook.com include:aspmx.pardot.com
include:_spf.centercode.com ~all']
addcache= ('tivo.com', 'TXT') ['v=spf1 include:_spf.tivo.com mx
include:authsmtp.com include:stspg-customer.com
include:spf.protection.outlook.com include:aspmx.pardot.com
include:_spf.centercode.com ~all']
result= ('tivo.com', 'TXT') ['MS=ms87319732']
addcache= ('tivo.com', 'TXT') ['MS=ms87319732']
result= ('tivo.com', 'TXT')
['pardot_43592_*=49af2b9098b2d30a71235cbf8a9855eb4846e62fcc95c9e47a8cdf9d5e5842b7']
addcache= ('tivo.com', 'TXT')
['pardot_43592_*=49af2b9098b2d30a71235cbf8a9855eb4846e62fcc95c9e47a8cdf9d5e5842b7']
result= ('tivo.com', 'TXT')
['onetrust-domain-verification=b96d88a367b2449c9b0f6062e3815b22']
addcache= ('tivo.com', 'TXT')
['onetrust-domain-verification=b96d88a367b2449c9b0f6062e3815b22']
result= ('tivo.com', 'TXT')
['0ed1fe018ac20dca8c20624109ac0610e88f36a065']
addcache= ('tivo.com', 'TXT')
['0ed1fe018ac20dca8c20624109ac0610e88f36a065']
result= ('tivo.com', 'TXT')
['e2cPMIx634wXtI6x2tFVmwNehpMoYRQ/Zt2xcek117k3drOPYN6uuCUDSC23Y9I4INWmUN4OF8priX2RHbztUA==']
addcache= ('tivo.com', 'TXT')
['e2cPMIx634wXtI6x2tFVmwNehpMoYRQ/Zt2xcek117k3drOPYN6uuCUDSC23Y9I4INWmUN4OF8priX2RHbztUA==']
result= ('tivo.com', 'TXT')
['pardot_43592_*=dfc113dde72c0a055d749915158b6234505740355598dd31d53be2f129aac8a1']
addcache= ('tivo.com', 'TXT')
['pardot_43592_*=dfc113dde72c0a055d749915158b6234505740355598dd31d53be2f129aac8a1']
top: tivo.com "v=spf1 include:_spf.tivo.com mx include:authsmtp.com
include:stspg-customer.com include:spf.protection.outlook.com
include:aspmx.pardot.com include:_spf.centercode.com ~all"
result= ('_spf.tivo.com', 'TXT') ['v=spf1
include:_spf_netblocks1.tivo.com include:_spf_netblocks2.tivo.com
include:_spf_netblocks3.tivo.com include:_spf.jobvite.com
include:_spf.salesforce.com include:us._netblocks.mimecast.com
include:us.confirmit.com a:secmail.ultipro.com ~all']
addcache= ('_spf.tivo.com', 'TXT') ['v=spf1
include:_spf_netblocks1.tivo.com include:_spf_netblocks2.tivo.com
include:_spf_netblocks3.tivo.com include:_spf.jobvite.com
include:_spf.salesforce.com include:us._netblocks.mimecast.com
include:us.confirmit.com a:secmail.ultipro.com ~all']
include: _spf.tivo.com "v=spf1 include:_spf_netblocks1.tivo.com
include:_spf_netblocks2.tivo.com include:_spf_netblocks3.tivo.com
include:_spf.jobvite.com include:_spf.salesforce.com
include:us._netblocks.mimecast.com include:us.confirmit.com
a:secmail.ultipro.com ~all"
result= ('_spf_netblocks1.tivo.com', 'TXT') ['v=spf1 ip4:204.176.49.0/24
ip4:209.34.86.213/31 ip4:208.73.180.0/22 ip4:69.25.59.161
ip4:198.61.141.237 ip4:216.23.184.197 ip4:207.38.45.154
ip4:204.14.232.64/28 ip4:202.129.242.64/31 ip4:156.45.254.11 ~all']
addcache= ('_spf_netblocks1.tivo.com', 'TXT') ['v=spf1
ip4:204.176.49.0/24 ip4:209.34.86.213/31 ip4:208.73.180.0/22
ip4:69.25.59.161 ip4:198.61.141.237 ip4:216.23.184.197 ip4:207.38.45.154
ip4:204.14.232.64/28 ip4:202.129.242.64/31 ip4:156.45.254.11 ~all']
include: _spf_netblocks1.tivo.com "v=spf1 ip4:204.176.49.0/24
ip4:209.34.86.213/31 ip4:208.73.180.0/22 ip4:69.25.59.161
ip4:198.61.141.237 ip4:216.23.184.197 ip4:207.38.45.154
ip4:204.14.232.64/28 ip4:202.129.242.64/31 ip4:156.45.254.11 ~all"
result= ('_spf_netblocks2.tivo.com', 'TXT') ['v=spf1
ip4:65.213.152.14/31 ip4:216.136.162.124/31 ip4:156.45.254.31
ip4:156.45.254.32/29 ip4:50.57.43.233 ip4:64.78.17.176 ip4:65.17.254.100
ip4:65.17.254.108/31 ip4:63.131.159.146 ~all']
addcache= ('_spf_netblocks2.tivo.com', 'TXT') ['v=spf1
ip4:65.213.152.14/31 ip4:216.136.162.124/31 ip4:156.45.254.31
ip4:156.45.254.32/29 ip4:50.57.43.233 ip4:64.78.17.176 ip4:65.17.254.100
ip4:65.17.254.108/31 ip4:63.131.159.146 ~all']
include: _spf_netblocks2.tivo.com "v=spf1 ip4:65.213.152.14/31
ip4:216.136.162.124/31 ip4:156.45.254.31 ip4:156.45.254.32/29
ip4:50.57.43.233 ip4:64.78.17.176 ip4:65.17.254.100 ip4:65.17.254.108/31
ip4:63.131.159.146 ~all"
result= ('_spf_netblocks3.tivo.com', 'TXT') ['v=spf1 ip4:63.131.159.151
ip4:216.157.16.107 ip4:216.136.162.123 ip4:207.106.123.26
ip4:192.237.163.108 ip4:66.150.161.30 ip4:108.166.45.120
ip4:50.31.43.169 ip4:50.57.175.27 ip4:166.78.203.73
include:_spf_o365.tivo.com ~all']
addcache= ('_spf_netblocks3.tivo.com', 'TXT') ['v=spf1
ip4:63.131.159.151 ip4:216.157.16.107 ip4:216.136.162.123
ip4:207.106.123.26 ip4:192.237.163.108 ip4:66.150.161.30
ip4:108.166.45.120 ip4:50.31.43.169 ip4:50.57.175.27 ip4:166.78.203.73
include:_spf_o365.tivo.com ~all']
include: _spf_netblocks3.tivo.com "v=spf1 ip4:63.131.159.151
ip4:216.157.16.107 ip4:216.136.162.123 ip4:207.106.123.26
ip4:192.237.163.108 ip4:66.150.161.30 ip4:108.166.45.120
ip4:50.31.43.169 ip4:50.57.175.27 ip4:166.78.203.73
include:_spf_o365.tivo.com ~all"
result= ('_spf_o365.tivo.com', 'TXT') ['v=spf1
include:_spf_netblockso.tivo.com include:_spf_netblockso2.tivo.com
include:_spf_netblockso3.tivo.com ~all']
addcache= ('_spf_o365.tivo.com', 'TXT') ['v=spf1
include:_spf_netblockso.tivo.com include:_spf_netblockso2.tivo.com
include:_spf_netblockso3.tivo.com ~all']
include: _spf_o365.tivo.com "v=spf1 include:_spf_netblockso.tivo.com
include:_spf_netblockso2.tivo.com include:_spf_netblockso3.tivo.com
~all"
result= ('_spf_netblockso.tivo.com', 'TXT') ['v=spf1 ip4:13.111.0.0/22
ip4:13.111.53.0/24 ip4:13.111.54.0/24 ip4:23.253.182.103
ip4:23.253.183.145 ip4:23.253.183.146/31 ip4:23.253.183.148
ip4:23.253.183.150 ip4:50.31.43.169 ip4:50.57.43.233 ip4:50.57.175.27
~all']
addcache= ('_spf_netblockso.tivo.com', 'TXT') ['v=spf1 ip4:13.111.0.0/22
ip4:13.111.53.0/24 ip4:13.111.54.0/24 ip4:23.253.182.103
ip4:23.253.183.145 ip4:23.253.183.146/31 ip4:23.253.183.148
ip4:23.253.183.150 ip4:50.31.43.169 ip4:50.57.43.233 ip4:50.57.175.27
~all']
include: _spf_netblockso.tivo.com "v=spf1 ip4:13.111.0.0/22
ip4:13.111.53.0/24 ip4:13.111.54.0/24 ip4:23.253.182.103
ip4:23.253.183.145 ip4:23.253.183.146/31 ip4:23.253.183.148
ip4:23.253.183.150 ip4:50.31.43.169 ip4:50.57.43.233 ip4:50.57.175.27
~all"
result= ('_spf_netblockso2.tivo.com', 'TXT') ['v=spf1 ip4:54.240.0.0/18
ip4:62.13.128.0/24 ip4:62.13.129.128/25 ip4:62.13.136.0/21
ip4:62.13.144.0/21 ip4:62.13.152.0/23 ip4:63.128.21.0/24
ip4:63.131.159.146 ip4:63.131.159.151 ip4:64.78.17.176 ip4:65.17.254.100
~all']
addcache= ('_spf_netblockso2.tivo.com', 'TXT') ['v=spf1
ip4:54.240.0.0/18 ip4:62.13.128.0/24 ip4:62.13.129.128/25
ip4:62.13.136.0/21 ip4:62.13.144.0/21 ip4:62.13.152.0/23
ip4:63.128.21.0/24 ip4:63.131.159.146 ip4:63.131.159.151
ip4:64.78.17.176 ip4:65.17.254.100 ~all']
include: _spf_netblockso2.tivo.com "v=spf1 ip4:54.240.0.0/18
ip4:62.13.128.0/24 ip4:62.13.129.128/25 ip4:62.13.136.0/21
ip4:62.13.144.0/21 ip4:62.13.152.0/23 ip4:63.128.21.0/24
ip4:63.131.159.146 ip4:63.131.159.151 ip4:64.78.17.176 ip4:65.17.254.100
~all"
result= ('_spf_netblockso3.tivo.com', 'TXT') ['v=spf1
ip4:65.17.254.108/31 ip4:65.213.152.14/31 include:
spf.protection.outlook.com ~all']
addcache= ('_spf_netblockso3.tivo.com', 'TXT') ['v=spf1
ip4:65.17.254.108/31 ip4:65.213.152.14/31 include:
spf.protection.outlook.com ~all']
include: _spf_netblockso3.tivo.com "v=spf1 ip4:65.17.254.108/31
ip4:65.213.152.14/31 include: spf.protection.outlook.com ~all"
result: ('permerror', 550, 'SPF Permanent Error:
_spf_netblockso3.tivo.com empty domain:: include:') None