[spfbis] Question about SPF checks based on RFC 7208
"Frank Bulk" <frnkblk@iname.com> Sun, 01 May 2016 00:45 UTC
Return-Path: <frnkblk@iname.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1C9712D10F for <spfbis@ietfa.amsl.com>; Sat, 30 Apr 2016 17:45:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.397
X-Spam-Level:
X-Spam-Status: No, score=-1.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, SPF_FAIL=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5QywFmm2Ut1m for <spfbis@ietfa.amsl.com>; Sat, 30 Apr 2016 17:45:44 -0700 (PDT)
Received: from premieronline.net (mail.premieronline.net [IPv6:2607:fe28:0:4000::20]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F066612B018 for <spfbis@ietf.org>; Sat, 30 Apr 2016 17:45:43 -0700 (PDT)
X-Default-Received-SPF: pass (skip=forwardok (res=PASS)) x-ip-name=199.120.69.4;
Received: from FBULKPC (unverified [199.120.69.4]) by premieronline.net (SurgeMail 7.1e) with ESMTP id 81941282-1729245 for <spfbis@ietf.org>; Sat, 30 Apr 2016 19:45:41 -0500
From: Frank Bulk <frnkblk@iname.com>
To: spfbis@ietf.org
Date: Sat, 30 Apr 2016 19:45:40 -0500
Message-ID: <002101d1a342$c93e3000$5bba9000$@iname.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdGjQUiwgr7sDCPlS+CRYh0ldjGGZQ==
Content-Language: en-us
X-Originating-IP: 199.120.69.4
X-Virus-Status: Clean
X-Virus-Scanned: ClamAV 0.99/21511/Sat Apr 30 11:38:04 2016 v0.65-36
X-SpamDetect: ********: 8.0 sd=8.0 0.87((!X-Verify-Helo:+OK), (X-myrbl:unknown)) [nnot=0, ng=0, nsum=0, nb=0, nw=0, 4.82]
X-Aspam: Words 0.0 -bearings -quotation -truck +returned -pivot -scales -sizes -friction -2nd
X-Aspam: External-IP matched 199.120.69 2.0
X-Aspam: Best match was sample aspam_good\m5.msg
X-Aspam: Total 2.0
X-LangGuess: English
X-MyRbl: Color=Unknown (rbl) Age=0 Spam=0 Notspam=0 Stars=0 Good=13 Friend=0 Surbl=0 Catch=0 r=0 ip=199.120.69.4
X-IP-stats: Incoming Last 0, First 136, in=6783, out=0, spam=0 ip=199.120.69.4
Archived-At: <http://mailarchive.ietf.org/arch/msg/spfbis/jOVvQM1zn9EGxEXz6tDwUBl1Nf0>
Subject: [spfbis] Question about SPF checks based on RFC 7208
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 May 2016 00:45:46 -0000
While working through a SPF failure for a message sent from our IPv6-capable email server (for premieronline.net), I ran an across an SPF checker (http://vamsoft.com/support/tools/spf-policy-tester) that had a hard fail when these values were entered: 2607:fe28:0:4000::20 fbulk@premieronline.net premieronline.net's record is as follow: v=spf1 mx ip4:96.31.0.0/24 ip6:2607:fe28:0:1000::/64 ip6:2607:fe28:0:4000::/64 ~all The tool tries to work through the MX records of premieronline.net, but for some reason it specifically queries for an AAAA for each MX record, of which we don't have one (because our inbound email gateway does not yet support IPv6). Since we have four MX records, it work through two of them (which both fail) and then the tool hard fails saying that, "The maximum void DNS lookup limit of 2 has been exceeded during the evaluation (see RFC7208 Section 4.6.4.)." This is the only SPF tool to fail in this way, which makes we wonder if it's the site's SPF checking methodology for RFC 7208 section 5.4 is correct. If so, and other email gateways have implemented their SPF checking in the same way, there could be more incorrect SPF evaluation checks out there. If the site's SPF checking methodology is incorrect, can you point me to a section in any RFC that would suggest a better/proper approach? Either way, does RFC 7208 need some clarification on this matter? My guess is that "it performs an address lookup on each MX name" is not equivalent to "check for an AAAA on each MX name and check for an A on each MX name", but I'm not sure. Frank 5.4. "mx" This mechanism matches if <ip> is one of the MX hosts for a domain name. mx = "mx" [ ":" domain-spec ] [ dual-cidr-length ] check_host() first performs an MX lookup on the <target-name>. Then it performs an address lookup on each MX name returned. The <ip> is compared to each returned IP address. To prevent denial-of-service (DoS) attacks, the processing limits defined in Section 4.6.4 MUST be followed. If the MX lookup limit is exceeded, then "permerror" is returned and the evaluation is terminated. If any address matches, the mechanism matches. Note regarding implicit MXes: If the <target-name> has no MX record, check_host() MUST NOT apply the implicit MX rules of [RFC5321] by querying for an A or AAAA record for the same name.
- Re: [spfbis] Question about SPF checks based on R… S Moonesamy
- Re: [spfbis] Question about SPF checks based on R… Frank Bulk
- [spfbis] Question about SPF checks based on RFC 7… Frank Bulk
- Re: [spfbis] Question about SPF checks based on R… Scott Kitterman
- Re: [spfbis] Question about SPF checks based on R… Kurt Andersen
- Re: [spfbis] Question about SPF checks based on R… Stuart Gathman
- Re: [spfbis] Question about SPF checks based on R… Scott Kitterman
- Re: [spfbis] Question about SPF checks based on R… Stuart D. Gathman
- Re: [spfbis] Question about SPF checks based on R… Scott Kitterman
- Re: [spfbis] Question about SPF checks based on R… frnkblk
- Re: [spfbis] Question about SPF checks based on R… S Moonesamy
- Re: [spfbis] Question about SPF checks based on R… Kurt Andersen
- Re: [spfbis] Question about SPF checks based on R… S Moonesamy
- Re: [spfbis] Question about SPF checks based on R… Murray S. Kucherawy
- Re: [spfbis] Question about SPF checks based on R… Kurt Andersen
- Re: [spfbis] Question about SPF checks based on R… Stuart Gathman
- Re: [spfbis] Question about SPF checks based on R… Scott Kitterman