spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

SPF validation

2004-04-13 21:00:14
from [Dean Gibson (Mail Administrator)] [Permanent Link]
Earlier today I was using an (unnamed, for reasons you will see) SPF test site to validate my SPF TXT record: 

mailpen.net. 60 TXT "v=spf1 mx +ptr:verizon.net -all"
This test site not only validated a hypothetical mail sent from 206.46.170.106 (out006pub.verizon.net), it also validated mail sent from 4.40.2.214 (evrtwa1-ar16-4-40-002-214.evrtwa1.dsl-verizon.net). Note that while the ends of the hostnames match "verizon.net" as a string, only the first matches as a domain name. When I added a leading period to the domain name in the TXT record: 

mailpen.net. 60 TXT "v=spf1 mx +ptr:.verizon.net -all"
Then this first test site performed as I expected, but then the test validator at spf.pobox.com no longer validated either IP address.
When I sent an eMail to the owner of the first SPF test site, I got the following response:
I believe that our method is correct -- http://spf.pobox.com/draft-mengwong-spf-00.txt section 4.6 shows that it should match if the reverse DNS entry ends in "verizon.net". 

I found this response incredulous for the following reasons:
1. He claims that his method is correct, when it disagrees with an SPF test implemented by the author of the RFC on his web page.
2. The section he mentions (4.6), says "Check all validated hostnames to see if they end in the <target-name> domain." It doesn't say, "see if the end of the strings match; it says, "[see if the] validated hostnames .. end in the <target-name> domain". That means to me that you match on the (entire) domain names, NOT the strings.
3. His interpretation opens up "prefix-spoofing" for spammers who create domain names that END in popular legit domain names, like "belaol.com" -- who would take that to match "aol.com"? But with his interpretation, it would, without all <domain-spec>s being prefixed with a period. 

4. Section 4.6 of the RFC says:

Pseudocode:
for each name in (validated_sending-host_names) {
  if name ends in <domain-spec>, return match.
  if name is <domain-spec>, return match.
}

Now, in Appendix A is the BNF for <domain-spec>

domain-spec = domain-name / macro-string
domain-name = domain-part *( '.' domain-part ) [ '.' ]
domain-part = as defined in RFC1034
Notice that there is NO period at the beginning of the domain-spec, as would be required by his interpretation in order to prevent the kind of "prefix-spoofing" that I mention above.
5. Look at the examples in Appendix B1; they clearly show domain names without leading periods.
So, which is the correct way to specify that a valid sender may end in "verizon.net" but not "dsl-verizon.net"? I don't want to "dump" on the author of the first SPF test site, as he is trying to provide a valuable service, but I found his justification of his test methods without any logical basis. 

Sincerely, Dean Gibson
ps: I will increase the TTL on the SPF TXT record when I am done testing. Any recommendations for the TTL (my normal value is 8 hours)?
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: SRS concern, Meng Weng Wong
Next by Date:  Re: SRS concern, John A. Martin
Previous by Thread:  SRS concern, Shaun T. Erickson
Next by Thread:  SPF validation, Roger Moser
Indexes:  [Date] [Thread] [Top] [All Lists]