2006-05-24

Sender Policy Framework (SPF): use of IP addresses in a records

Minor dispute with a supplier over the correct implementation of SPF.

For those who don't know, SPF (Sender Policy Framework) is a system of validating which machines are allowed to send mail on behalf of which domains. For more, see the website on http://www.openspf.org

One of our suppliers uses IP addresses in a records in their SPF implementation, which I think breaks the spec. Here's my interpretation of the final SPF spec.

http://new.openspf.org/svn/project/specs/rfc4408.html#mech-a and http://new.openspf.org/svn/project/specs/rfc4408.html#anchor22

Which taken together say that the a records must contain fully qualified DNS names. Horribly, the SPF wizard permits IP addresses in the a record . Although if you start the wizard from scratch you will see that it says "regular host names" next to the a record entries. The weird SPF practice of allowing a CIDR to attach to FQDNs is pretty confusing though - in other words they are saying that you can use mx.blogger.com/24 to mean look up the IP address of mx.blogger.com, and then say anything in the same class C range as it is OK to send mail from the domain.

Crucially, the rules regarding implementation of SPF on mail-acceptance say that

"After one SPF record has been selected, the check_host() function parses and interprets it to find a result for the current test. If there are any syntax errors, check_host() returns immediately with the result "PermError".

http://new.openspf.org/svn/project/specs/rfc4408.html#anchor18

I.e. if an invalid record is encountered, the result is error, irrespective of whether there are any valid records.

The SPF validator at http://www.kitterman.com/spf/validate.html therefore fails for a domain with IP addresses in its a records

Results - PermError SPF Permanent Error: Use the ip4 mechanism for ip4 addresses: a:w.x.y.z

This SPF validator is built on the pymilter tools, which are used for SPF in live situations by some sendmail implementations.