spf-discuss
[Top] [All Lists]

When should the proccessing of the SPF record end?

2004-03-23 01:51:00
Meng Weng Wong wrote:

     mechanism   = 1*ALPHA [ ':' *VCHAR ] *[ '/' *DIGIT ]
     modifier    = 1*ALPHA '=' *VCHAR

It should be

       mechanism   = ALPHA *ALPHANUM [ ':' *VCHAR ] [ dual-cidr-length ]
       modifier    = ALPHA *ALPHANUM '=' *VCHAR

Otherwise the mechanisms 'ip4' and 'ip6' would be invalid.


I'm a little bit bothered by the new paragraph because it tries to
micromanage clients in too much detail.  Is there a better way to say:
you have to respect an exp modifier even if it appears after "all"?

I suggest following clear rules:

----------------

The parser MUST parse the SPF record from left to right.

If the parser encounters a syntax error or an unknown directive, it MUST
ignore the result and effect of all following directives and it MUST return
'unknown'.

If a mechanism matches, the parser MUST ignore the result and effect of all
following directives.

The parser MAY then continue to parse until the end of the record to detect
syntax errors or unknown directives and return 'unknown' if there are syntax
errors or unknown directives after the mechanism that matched.

Otherwise, if the parser does not continue parsing, it does following:

If the matching mechanism was not 'all' or if the 'include' recursion level
(see below) is zero, the parser MUST return the prefix value (the default
prefix is +). Otherwise the parser MUST return 'no match'.

For an 'include' mechanism a prefix values MUST NOT be specified.

(The 'include' recursion level is zero when the parser starts. It is
increased when the parser encounters an 'include'. And it is decreased when
the parser ends the parsing of an SPF record but only if it is not
redirected to another SPF record).

----------------

The reason why the 'fail', 'softfail' and 'neutral' result from a mechanism
other than 'all' in an included SPF record should not be ignored is
following:

Suppose a company has the policy: All our customers may send mail from
<our domain> except the dial-in users. It could have following policy:

xyz.com      TXT  "v=spf1 include:inc.xyz.com -all"
inc.xyz.com  TXT  "v=spf1 -a:dul.xyz.com/24 a:xyz.com/16 -all"

In this case if the SMTP client IP address matches the -a:dul.xyz.com/24,
the result returned from the included SPF record is 'fail', otherwise if the
IP address matches a:xyz.com/16, it is 'pass', otherwise it is 'no match'.

Roger