[spfbis] Question about SPF checks based on RFC 7208

"Frank Bulk" <frnkblk@iname.com> Sun, 01 May 2016 00:45 UTC

Return-Path: <frnkblk@iname.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id C1C9712D10F for <spfbis@ietfa.amsl.com>; Sat, 30 Apr 2016 17:45:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.397
X-Spam-Status: No, score=-1.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, SPF_FAIL=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 5QywFmm2Ut1m for <spfbis@ietfa.amsl.com>; Sat, 30 Apr 2016 17:45:44 -0700 (PDT)
Received: from premieronline.net (mail.premieronline.net [IPv6:2607:fe28:0:4000::20]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F066612B018 for <spfbis@ietf.org>; Sat, 30 Apr 2016 17:45:43 -0700 (PDT)
X-Default-Received-SPF: pass (skip=forwardok (res=PASS)) x-ip-name=;
Received: from FBULKPC (unverified []) by premieronline.net (SurgeMail 7.1e) with ESMTP id 81941282-1729245 for <spfbis@ietf.org>; Sat, 30 Apr 2016 19:45:41 -0500
From: "Frank Bulk" <frnkblk@iname.com>
To: <spfbis@ietf.org>
Date: Sat, 30 Apr 2016 19:45:40 -0500
Message-ID: <002101d1a342$c93e3000$5bba9000$@iname.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdGjQUiwgr7sDCPlS+CRYh0ldjGGZQ==
Content-Language: en-us
X-Virus-Status: Clean
X-Virus-Scanned: ClamAV 0.99/21511/Sat Apr 30 11:38:04 2016 v0.65-36
X-SpamDetect: ********: 8.0 sd=8.0 0.87((!X-Verify-Helo:+OK), (X-myrbl:unknown)) [nnot=0, ng=0, nsum=0, nb=0, nw=0, 4.82]
X-Aspam: Words 0.0 -bearings -quotation -truck +returned -pivot -scales -sizes -friction -2nd
X-Aspam: External-IP matched 199.120.69 2.0
X-Aspam: Best match was sample aspam_good\m5.msg
X-Aspam: Total 2.0
X-LangGuess: English
X-MyRbl: Color=Unknown (rbl) Age=0 Spam=0 Notspam=0 Stars=0 Good=13 Friend=0 Surbl=0 Catch=0 r=0 ip=
X-IP-stats: Incoming Last 0, First 136, in=6783, out=0, spam=0 ip=
Archived-At: <http://mailarchive.ietf.org/arch/msg/spfbis/jOVvQM1zn9EGxEXz6tDwUBl1Nf0>
Subject: [spfbis] Question about SPF checks based on RFC 7208
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 May 2016 00:45:46 -0000

While working through a SPF failure for a message sent from our IPv6-capable
email server (for premieronline.net), I ran an across an SPF checker
(http://vamsoft.com/support/tools/spf-policy-tester) that had a hard fail
when these values were entered:

premieronline.net's record is as follow:
	v=spf1 mx ip4: ip6:2607:fe28:0:1000::/64
ip6:2607:fe28:0:4000::/64 ~all

The tool tries to work through the MX records of premieronline.net, but for
some reason it specifically queries for an AAAA for each MX record, of which
we don't have one (because our inbound email gateway does not yet support
IPv6).  Since we have four MX records, it work through two of them (which
both fail) and then the tool hard fails saying that,
	"The maximum void DNS lookup limit of 2 has been exceeded during the
evaluation (see RFC7208 Section 4.6.4.)."

This is the only SPF tool to fail in this way, which makes we wonder if it's
the site's SPF checking methodology for RFC 7208 section 5.4 is correct.  If
so, and other email gateways have implemented their SPF checking in the same
way, there could be more incorrect SPF evaluation checks out there.  If the
site's SPF checking methodology is incorrect, can you point me to a section
in any RFC that would suggest a better/proper approach?

Either way, does RFC 7208 need some clarification on this matter?  My guess
is that "it performs an address lookup on each MX name" is not equivalent to
"check for an AAAA on each MX name and check for an A on each MX name", but
I'm not sure.


5.4.  "mx"

   This mechanism matches if <ip> is one of the MX hosts for a domain

   mx               = "mx"     [ ":" domain-spec ] [ dual-cidr-length ]

   check_host() first performs an MX lookup on the <target-name>.  Then
   it performs an address lookup on each MX name returned.  The <ip> is
   compared to each returned IP address.  To prevent denial-of-service
   (DoS) attacks, the processing limits defined in Section 4.6.4 MUST be
   followed.  If the MX lookup limit is exceeded, then "permerror" is
   returned and the evaluation is terminated.  If any address matches,
   the mechanism matches.

   Note regarding implicit MXes: If the <target-name> has no MX record,
   check_host() MUST NOT apply the implicit MX rules of [RFC5321] by
   querying for an A or AAAA record for the same name.