Sender Policy Framework (SPF): use of IP addresses in a records
Minor dispute with a supplier over the correct implementation of SPF.
For those who don't know, SPF (Sender Policy Framework) is a system of validating which machines are allowed to send mail on behalf of which domains. For more, see the website on http://www.openspf.org
One of our suppliers uses IP addresses in a records in their SPF implementation, which I think breaks the spec. Here's my interpretation of the final SPF spec.
http://new.openspf.org/svn/project/specs/rfc4408.html#mech-a and http://new.openspf.org/svn/project/specs/rfc4408.html#anchor22
Which taken together say that the a records must contain fully qualified DNS names. Horribly, the SPF wizard permits IP addresses in the a record . Although if you start the wizard from scratch you will see that it says "regular host names" next to the a record entries. The weird SPF practice of allowing a CIDR to attach to FQDNs is pretty confusing though - in other words they are saying that you can use mx.blogger.com/24 to mean look up the IP address of mx.blogger.com, and then say anything in the same class C range as it is OK to send mail from the domain.
Crucially, the rules regarding implementation of SPF on mail-acceptance say that
"After one SPF record has been selected, the check_host() function parses and interprets it to find a result for the current test. If there are any syntax errors, check_host() returns immediately with the result "PermError".
http://new.openspf.org/svn/project/specs/rfc4408.html#anchor18
I.e. if an invalid record is encountered, the result is error, irrespective of whether there are any valid records.
The SPF validator at http://www.kitterman.com/spf/validate.html therefore fails for a domain with IP addresses in its a records
Results - PermError SPF Permanent Error: Use the ip4 mechanism for ip4 addresses: a:w.x.y.z
This SPF validator is built on the pymilter tools, which are used for SPF in live situations by some sendmail implementations.
For those who don't know, SPF (Sender Policy Framework) is a system of validating which machines are allowed to send mail on behalf of which domains. For more, see the website on http://www.openspf.org
One of our suppliers uses IP addresses in a records in their SPF implementation, which I think breaks the spec. Here's my interpretation of the final SPF spec.
http://new.openspf.org/svn/project/specs/rfc4408.html#mech-a and http://new.openspf.org/svn/project/specs/rfc4408.html#anchor22
Which taken together say that the a records must contain fully qualified DNS names. Horribly, the SPF wizard permits IP addresses in the a record . Although if you start the wizard from scratch you will see that it says "regular host names" next to the a record entries. The weird SPF practice of allowing a CIDR to attach to FQDNs is pretty confusing though - in other words they are saying that you can use mx.blogger.com/24 to mean look up the IP address of mx.blogger.com, and then say anything in the same class C range as it is OK to send mail from the domain.
Crucially, the rules regarding implementation of SPF on mail-acceptance say that
"After one SPF record has been selected, the check_host() function parses and interprets it to find a result for the current test. If there are any syntax errors, check_host() returns immediately with the result "PermError".
http://new.openspf.org/svn/project/specs/rfc4408.html#anchor18
I.e. if an invalid record is encountered, the result is error, irrespective of whether there are any valid records.
The SPF validator at http://www.kitterman.com/spf/validate.html therefore fails for a domain with IP addresses in its a records
Results - PermError SPF Permanent Error: Use the ip4 mechanism for ip4 addresses: a:w.x.y.z
This SPF validator is built on the pymilter tools, which are used for SPF in live situations by some sendmail implementations.
posted by rmcubed at 10:37 am
0 Comments:
Post a Comment
<< Home