Re: [spfbis] Question about SPF checks based on RFC 7208

Kurt Andersen <> Sun, 01 May 2016 04:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6D18512B029 for <>; Sat, 30 Apr 2016 21:14:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DTnG9P2091gH for <>; Sat, 30 Apr 2016 21:14:37 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D026712B016 for <>; Sat, 30 Apr 2016 21:14:37 -0700 (PDT)
Received: by with SMTP id d62so142254152iof.2 for <>; Sat, 30 Apr 2016 21:14:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130612; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=OFwnhRd8UYhH3vNdB50gused74t3ZJtwcz3Wrm2cI9I=; b=e+uAY1mejV5KKna9Duza1hXsWOnmnjNXhb4yP6eEUxqYqiTTJONISdeZarLTFlm5vt eB2CD/5+F2DNqvv7r2qsemxZHD0sEC8F/ql3H41DmB5cGSi8kH/DnmI6DUSJqh3paP+A erQW8zmegQLIyq2vwnQMOktpm4uEUYa3VBWuk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=OFwnhRd8UYhH3vNdB50gused74t3ZJtwcz3Wrm2cI9I=; b=WCOeLmtHTeSOjlgvAMJeiQLvyskTLiCjy8cD52rWbm0VrbFMqJxNZpPv7h4506C7j3 bAPB64f2Iv2f9+YyOFtLQ5iU5INjs9JsTErcYS5cBWtuvbmma0zmI9jhwSMV9PItxQDy 4rvoLTewWIrNp71Yfna3ZFOUCtgJeza6yCfXLa7qhysp05o0mmrgXp3lWun+kNu2y9e5 Z+ix8s+qwUYGQpuhghWdU9Maty+PQHEFx3QinA8i+b2zLVJNrANLaMhaErsHqaBNpVD1 D/wpWbL03xWBYJYy7OPyQjRwwaA8+uYCCZ6Ff+BxVLL7jdGNEM+F9pyTDoc8/hhzaBrt zqFA==
X-Gm-Message-State: AOPr4FUTtc5xRhMXP4KGwnG/q0lGNBo43r9IRjz2DW0YVrHYxPv8pyCYtiVGTVtaY9/GbIAu+bSJbAZ0tUn0sA==
MIME-Version: 1.0
X-Received: by with SMTP id c72mr34264596iod.102.1462076077186; Sat, 30 Apr 2016 21:14:37 -0700 (PDT)
Received: by with HTTP; Sat, 30 Apr 2016 21:14:37 -0700 (PDT)
In-Reply-To: <>
References: <002101d1a342$c93e3000$5bba9000$> <>
Date: Sat, 30 Apr 2016 21:14:37 -0700
Message-ID: <>
From: Kurt Andersen <>
To: Scott Kitterman <>
Content-Type: multipart/alternative; boundary=001a113f99b03763620531c01d06
Archived-At: <>
Cc: "" <>
Subject: Re: [spfbis] Question about SPF checks based on RFC 7208
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SPFbis discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 01 May 2016 04:14:40 -0000

On Sat, Apr 30, 2016 at 6:08 PM, Scott Kitterman <>; wrote:

> I think they are just wrong.  If either an IPv4 or IPv6 address is
> returned it's not a void look up.  That's described at the end of 4.6.4 and
> is, I think clear.  I'd report it as a bug.
> Scott K

Scott, your own analysis tool also has a problem with the scenario that was
described as do several others that I checked. When the connection is
coming in on an IPv6 connection, it seems that only AAAA records are being
sought in the resolution of the MX records into IP addresses. When the
first two that are checked result in no AAAA found, it is more or less
game-over according to the 7208 spec. This seems like a lurking time-bomb
in SPF as people begin sending mail on IPv6, potentially before they enable
inbound connections on IPv6.

--Kurt Andersen