IETF Logo Mail Archive

[spfbis] RFC7208 4.6.4 Interpretation - MX Lookup Count Inconsistencies

Mark Alley <mark.alley@tekmarc.com> Fri, 13 January 2023 20:09 UTC

Return-Path: <mark.alley@tekmarc.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94EBEC16FE21 for <spfbis@ietfa.amsl.com>; Fri, 13 Jan 2023 12:09:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=tekmarc.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8MXJuU-ovkPQ for <spfbis@ietfa.amsl.com>; Fri, 13 Jan 2023 12:09:07 -0800 (PST)
Received: from mail-qt1-x835.google.com (mail-qt1-x835.google.com [IPv6:2607:f8b0:4864:20::835]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F368C16FE20 for <spfbis@ietf.org>; Fri, 13 Jan 2023 12:09:07 -0800 (PST)
Received: by mail-qt1-x835.google.com with SMTP id y7so1486236qtv.5 for <spfbis@ietf.org>; Fri, 13 Jan 2023 12:09:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tekmarc.com; s=google; h=subject:to:autocrypt:from:content-language:user-agent:mime-version :date:message-id:from:to:cc:subject:date:message-id:reply-to; bh=ZuX1xl+GbHpaL5msGPd2JnNrWE6hYRleCKF/Q864hfk=; b=QonXUPflsZPu0HdYxqsKuGdkaQwn9bOpHSLy1vnlID1Zc3dQufnkHu7b60f2J7GtGi zJg1SzySfGE2SuQon+Hm1K6I16nyvOxGMDGRkbVXdnW7rzR6wf7dOF25ilD2V0u6Txjm ANQXZjZYDedxserHEvOW95XHZGMx3OffGzCenaaWB1CN/rvNI4WIbyXU9CltSF6AR0o7 28rgRHOHXyR0eAv/bQXA2YzeAq9JdEGi28L7vUX+y7xyxyeGpiqmzFw3EWqVwFMHbYsu QCXJrsiB5B9/cHWQDZoHNCaMNbZhMVdfnlXmMjb0mWu4i55zqcpgf/ItuqFC2J5BNDsz enNw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=subject:to:autocrypt:from:content-language:user-agent:mime-version :date:message-id:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ZuX1xl+GbHpaL5msGPd2JnNrWE6hYRleCKF/Q864hfk=; b=AzhqpKLUPNhI/TkYsAXGpeLS7a2lUNwFXfPFx0QR1JOour8c6yNrabU5YPP8oYgKIm culVt5czSQiTrZeMlI/IkdS2Y6k0u6tow74rq3eoeOgCvM6GSG0bqBkMAoS+6d1ZOJco C27dN9E41cq1bSm+bejrbiVi2bmmQLIUG8TpO+nyenZRETuAVbKvF8/34cirbE3fv7mE 774Kw3aE1Ue46EhcYXZ6RutZlDL+BSRnPDonHq/KQMShSaBK5V6GmK1g3iPVZFtjog7A UWpCHmoT6p0pMmpkcHJ2X3haiVi1tWztPkcxNWNeZvHSLfV/D28W+vjuQ291cgANYlaQ 1t+w==
X-Gm-Message-State: AFqh2kqyN/hKWxXoLI/UBLr4P9Ulb8cOq7Ym/WpIr2QBwqcN0/36qj8Y 7ujGVQc//ublPIC7kpwEmqav4rez4AJ9LpMnbOY=
X-Google-Smtp-Source: AMrXdXvR5Gi4c8GkGPp1LElXjWe4WZXetmL8lyRn/hYkuL8Q/pR0WR7X/U5DqUwOqyt2lNddYdJkVg==
X-Received: by 2002:ac8:5299:0:b0:3a8:15d2:6e8e with SMTP id s25-20020ac85299000000b003a815d26e8emr102695738qtn.41.1673640545365; Fri, 13 Jan 2023 12:09:05 -0800 (PST)
Received: from [192.168.2.20] (162-238-103-217.lightspeed.brhmal.sbcglobal.net. [162.238.103.217]) by smtp.gmail.com with ESMTPSA id t1-20020ac86a01000000b003a7e4129f83sm10907560qtr.85.2023.01.13.12.09.04 for <spfbis@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 13 Jan 2023 12:09:04 -0800 (PST)
Message-ID: <79ac443e-b0ee-6598-cec0-9cf32c3dc1d1@tekmarc.com>
Date: Fri, 13 Jan 2023 14:09:03 -0600
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.6.1
Content-Language: en-US
From: Mark Alley <mark.alley@tekmarc.com>
Autocrypt: addr=mark.alley@tekmarc.com; keydata= xsFNBGOqGVEBEAC4wlUuECSqCjZgjn2sFPxBDm1jN66t7kFm5KyjjHYBey1HTjrjJTmb3XQB /zbTSWZPN96HNA5j3EH/TGfN4SogIgFiLkznOHooMECdCdtr8ARE9EesWQmfB96Q5XGga3FW 4MuXzNOAcQHmN1evG/dMUrGGsa2bUUWfa70FM1eM8xNspkZGmvyPAvsEP39xnaMFoqYkvYBB At2IHadM1mgDd2vWCUF31K8CSwin8RIbMehfny99Jbee6toz4qdJGjKK6ZQG3iDrMqiAEAEb NxAvZ0LPLgBF5/NDw6DVkfVOyN3Cnu7QIo3o1g5NhfhabDHctuH3AlbUsoW0lewNEbbok6Rp 9uktfiTZImvLMoMFOf30GrrViCwCOa51A/LIP68QWSTR/fEBatMD+KbaKJekTW47+7TfLfat hVLCq3wA3s5mVyJBLk0Vsv9aFgDMQJvqU7auOC3mLubwYbO9CVtd24JibeayMl7PGeNf7g2k PUHAR+6vZosFJCDZc1gOeQiZr8N7ZFPopsBmY28tzI3ejGohxcmJw+8NNt2leTgNvLtMZw+J jV8yHETIUdJvQmj5ed3uvoVZo4jLhU/sp2xO7LajsxtWpUMLcfbLAYDsL0E/bMIZsfyiRew3 JVOLpuAoc9yjkFbdfVyCxSERcc/IPX6C2bgwio7fuevNWhPqNwARAQABzSNNYXJrIEFsbGV5 IDxtYXJrLmFsbGV5QHRla21hcmMuY29tPsLBhwQTAQgAMRYhBHSDfsuM4bG2uOcUm+N6I8TQ TwQJBQJjqhlYAhsDBAsJCAcFFQgJCgsFFgIDAQAACgkQ43ojxNBPBAnW/g/+J9vwKOHRIOwS FW804/SwlgE308OJmKiJuTJV7MKWw5zRZ7Ct9dO6W2Rzl8eQOHtUk1tTfsWHdSvjvW2k5C2F IK6twVOgjPnkbVra+jktVE7tdBJPy9FXWHmlbU+UjNr3VGX+qktBbWu2WKRwjLg9NaZhXQBH LRLHGGkj/VXVvAsqWh6G+UJbXnz+RwMv77JKrpOlx1vD2AOlXPRLb7ZgBWc2hn+gtAxX3Jmb TTnJMV3tTvIR82M0m/c/4vEj6IV3egRuNmgRHEEeRJi3VYGOF6UTA4mZaeNKLzF35bM0shHS KzS9scGWKnbYKfmITeJViw5pCk0nkYMXRjRrX5i2XebltBO06yLBqeq0xxn7vjVD+WA6mfEv 4AxoUYNP9sDuTwulccujHjOwo+832cfN1d0HYkpWzOBRvvksiekaMQrxt25dpvTjJmwh8GHc Cs1tD1Oqj03TKv9uJ6ANFBOBKWk3tpNp498BTBRr8ZqCyz3zL/3nZRBtM3aKx3vSGTKXgvy2 c5lTPe/ksmRjC+gndDSwSNLFnL7lGOobdAX5MqfjlJiONlAq180zDDVBMzVzdZwnCFU4yWdU A1x1HFSW35wuLEFdYp3tsTTUGrUARe1b4gQsGWlP5I39XVuW61nNI/uyAauFcx+2LID1Yjkq 60FGqL0rlxURpOe6jyEOk+vOwU0EY6oZWQEQALk2rfhVplWFecVk7RgX2F7S/FRwK99hKRf/ CNCvkG0UXBUq9H6p6I0AJNb4bxrEy8iJuffSWlSAC07Ofg3UA8UWKgzxmqeERaN4UO1NJAoU 1DWxDoBaeqiEC7/7yJc0aLhxvm5OwNQykZwVdJ/xgFQ3VBkJn+P1KZ7UTXaAg7gvAWh4znPY CDzvWkvGGbJcJzY5+QZQYjVEP1ZDqsCZymLU4KKI5DfA+jYggPR+/hWwadZ3KMGVOd7CzvSZ KP3bhA6FyR+szzRh+xH/MJyVZl1KrASz62ZZ7TmcNfLWSnQqZq736fVm6bdVOHMwlFq2ndGi 1TABqX2Bzvbkq3EMw/fIWeyK/vSw2433XtUF3qo/WYPUPdBJAO3wWTTxCeLcguFSJRMX2Myc vAT/pXdIo0/AFOLzQzBAOJWNPkUG7NcYMZlMBCzJaxvCgw/hQym/YUA6oG3k45X55JeCSV8j uRL4RAedvvc5dxdOPOpmou41IjyYqX0rKUSFDnyWh1gvYvSxcEHS6V4zoHBhBjf6oh6unLx6 DLAMuT4yl/8Kc7zVvSJMsB0onXo5Ag1pjEJ6NDTZMf1UXLjVc4CG1nSmQnVwsjB6RU9zD9Di 1P12TRUpUUw7NkM5kbPUZpONLdRQN79MiPIatUyGawIYROMtbGAM3qlLMtGV5eNykiw+Xl/h ABEBAAHCwXYEGAEIACAWIQR0g37LjOGxtrjnFJvjeiPE0E8ECQUCY6oZXwIbDAAKCRDjeiPE 0E8ECWEgD/9BSRPBYtbeU7hQj/7LScdWVngzSvLpGXRPCfTNRTAEEjitVHnJ99XHnAib6y0p 1e/0Gtm9m2n3/zGNA4w/tEf9FRWdlL+3GMlY963XWW5RjKxABF0GuKUENNM9MZ0f+wvyhyEW DJ8ep+3eqgaW4/wssbad1Eww26gYIKnBThNnVNvDYZztzAYHk3ayoD3ewPzbDyaosCBTE0fh voMyrcYN74oHdHx6o2irX22TiZ0+D/PQ+33oS9/sirPuw6Li+ED5A/81h7/CuT6gLDHKkuW/ 6mRAoTdOOV6c8c6V95NoNSAioIFFPqKZYIfX03IqqRst+HuOKOavERFmeoXANTDNRNR7/1rt vW8J9tarMH5N9VMewM9ktju2iuAs8nzuDhpctmGNdf7s4CWsoAlHuTleECEMBWHkHyIt5VjI XhtOJUl0BRmzkxKb6vJS5J8w/co61Ovq6ya3RsqsBEqc/szR8kX2m6n2nOPJmqTsHUe+XXMq +M9CZVlOrXkDoVCCbs6P8QuhNDcWqOkGYXIsDGQavclPaHwwsvf8Z3Wu73kQcMWdzmr8W7A4 hlVr9qLSLxJCn9ZLz84Fon4nPlGrfBQpKtB5gvyTCw6Kq5ca7FMtVkeiIn2HI+6Um8ytK1K7 N008Qxh74D6PI7S7gJt1SzBmAcQOL8omJng61C5B1fUncg==
To: spfbis@ietf.org
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------EklvLrB0f9xWnutFGv4Lqqvi"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/cNJeFvdVotoLqu8YmoV3oJAKwTM>
Subject: [spfbis] RFC7208 4.6.4 Interpretation - MX Lookup Count Inconsistencies
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jan 2023 20:09:11 -0000

Hi all, I have two questions about section 4.6.4 regarding "mx" 
mechanism DNS lookup counts during SPF evaluation that I would like some 
guidance on. I haven't been able to find anything regarding this topic 
specifically in the ML archive aside from one niche topic relating to 
the MX AAAA ipv6 queries counting as void lookups.

------------------------------------

First, checking logic implementations of the "mx" mechanism DNS lookup 
count of various SPF validator tools compared to the logic described in 
section 4.6.4, I discovered implementation inconsistencies that have led 
me to question what the "correct" logic is for counting MX lookups in an 
SPF record. There are 12 SPF validators on the internet that seem to 
skip over this during lookup counting (many from well-established 
vendors), and only 3 that do not.

So, given this, based on the below information, which is the correct 
counting interpretation?

There is a domain - katrinafox.com - which has an SPF record that looks 
like this:

/v=spf1 +a +mx +ip4:35.213.205.66 include:_spf.mailspamprotection.com ~all/

Breaking down DNS lookups manually, we get this:

1 - "a" mechanism

4 - "mx" mechanism (1 initial MX record lookup, +3 A/AAAA MX names returned)

4 - "include" mechanism (1 initial include lookup, +3 recursive includes)

Per the first paragraph of section 4.6.4, it reads as such: "/When 
evaluating the "mx" mechanism, the number of "MX" resource//records 
queried is included in the overall limit of 10 mechanisms///modifiers 
that cause DNS lookups as described above."/

My interpretation is that the language is clear; the MX names (A/AAAA 
RRs) returned by the MX query are counted against the overall 10 lookup 
count of the evaluated SPF record. Leaving this domain's SPF record with 
a total of 9 lookups. However, the overwhelming majority of SPF 
validator tools (and I haven't even started researching receiver-side 
logic implementations of this yet) seem to implement this /skipping/ the 
MX query returned names as part of the lookup count, which leaves the 
lookup count for this domain at 6.

------------------------------------

Second, addressing the second sentence of the second paragraph in 4.6.4 
(which continues the context of the last above question): "/In addition 
to that limit, the evaluation of each "MX" record MUST NOT result in 
querying more than 10 address records -- either "A" or "AAAA" resource 
records./"

There seems to be the same inconsistencies among SPF validator tools for 
this logic as well. Three tools, one being MXtoolbox, say this domain 
has "too many IP addresses returned from the MX query" (of which there 
are well over 10 total), which results in their evaluation returning 
"permerror".

It seems some implementors have interpreted the "10 address records" 
phrase to mean "/the number of IP address records //resulting //from an 
MX name A/AAAA RR query/", rather than "/the total sum of the MX names 
themselves/", as would seem described by the section's language. Of my 
interpretation from this section's language, it would seem this domain 
should exceed neither the SPF lookup count, nor the MX A/AAAA query count.

Which is the most accurate interpretation of this section?

Thanks,

- Mark Alley

v2.23.0 | Report a Bug | By Email