Re: [spfbis] Question about SPF checks based on RFC 7208

Scott Kitterman <> Sun, 01 May 2016 01:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 38FD612B045 for <>; Sat, 30 Apr 2016 18:08:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2nFAPRSlFPRc for <>; Sat, 30 Apr 2016 18:08:53 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CA22E12D1AD for <>; Sat, 30 Apr 2016 18:08:53 -0700 (PDT)
Received: from [] ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 940C2C40152; Sat, 30 Apr 2016 20:08:52 -0500 (CDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=201409; t=1462064932; bh=buE9yMxuLcI7BksK7t/m/y2qFIlcMDfFH0AUdZLnx4A=; h=In-Reply-To:References:Subject:From:Date:To:From; b=nG4wpEs7hjrc9sDlEfmc2x1SyLrJrhipNwjW+qr5XOoMBRkyNHk4WtjcPzbL2QUFQ jl5gJRC4hSdxPraoR07yvhqKnW+JZ8B1wyTY0qbiTjls32uJj21Up00Nnx9v/5J/Oo 1GOdPlNDL0lY3CGjOpajvRdQG2hkpvVzVFP2Z23s=
User-Agent: K-9 Mail for Android
In-Reply-To: <002101d1a342$c93e3000$5bba9000$>
References: <002101d1a342$c93e3000$5bba9000$>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8
From: Scott Kitterman <>
Date: Sat, 30 Apr 2016 21:08:50 -0400
Message-ID: <>
Archived-At: <>
Subject: Re: [spfbis] Question about SPF checks based on RFC 7208
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SPFbis discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 01 May 2016 01:08:56 -0000

On April 30, 2016 8:45:40 PM EDT, Frank Bulk <>; wrote:
>While working through a SPF failure for a message sent from our
>email server (for, I ran an across an SPF checker
>( that had a hard
>when these values were entered:
>	2607:fe28:0:4000::20
>'s record is as follow:
>	v=spf1 mx ip4: ip6:2607:fe28:0:1000::/64
>ip6:2607:fe28:0:4000::/64 ~all
>The tool tries to work through the MX records of, but
>some reason it specifically queries for an AAAA for each MX record, of
>we don't have one (because our inbound email gateway does not yet
>IPv6).  Since we have four MX records, it work through two of them
>both fail) and then the tool hard fails saying that,
>	"The maximum void DNS lookup limit of 2 has been exceeded during the
>evaluation (see RFC7208 Section 4.6.4.)."
>This is the only SPF tool to fail in this way, which makes we wonder if
>the site's SPF checking methodology for RFC 7208 section 5.4 is
>correct.  If
>so, and other email gateways have implemented their SPF checking in the
>way, there could be more incorrect SPF evaluation checks out there.  If
>site's SPF checking methodology is incorrect, can you point me to a
>in any RFC that would suggest a better/proper approach?
>Either way, does RFC 7208 need some clarification on this matter?  My
>is that "it performs an address lookup on each MX name" is not
>equivalent to
>"check for an AAAA on each MX name and check for an A on each MX name",
>I'm not sure.
>5.4.  "mx"
>   This mechanism matches if <ip> is one of the MX hosts for a domain
>   name.
>   mx               = "mx"     [ ":" domain-spec ] [ dual-cidr-length ]
>   check_host() first performs an MX lookup on the <target-name>.  Then
>   it performs an address lookup on each MX name returned.  The <ip> is
>   compared to each returned IP address.  To prevent denial-of-service
>  (DoS) attacks, the processing limits defined in Section 4.6.4 MUST be
>   followed.  If the MX lookup limit is exceeded, then "permerror" is
>   returned and the evaluation is terminated.  If any address matches,
>   the mechanism matches.
>   Note regarding implicit MXes: If the <target-name> has no MX record,
>   check_host() MUST NOT apply the implicit MX rules of [RFC5321] by
>   querying for an A or AAAA record for the same name.

I think they are just wrong.  If either an IPv4 or IPv6 address is returned it's not a void look up.  That's described at the end of 4.6.4 and is, I think clear.  I'd report it as a bug.

Scott K