Earlier today I was using an (unnamed, for reasons you will see) SPF test
site to validate my SPF TXT record:
mailpen.net. 60 TXT "v=spf1 mx +ptr:verizon.net -all"
This test site not only validated a hypothetical mail sent from
206.46.170.106 (out006pub.verizon.net), it also validated mail sent from
4.40.2.214 (evrtwa1-ar16-4-40-002-214.evrtwa1.dsl-verizon.net). Note that
while the ends of the hostnames match "verizon.net" as a string, only the
first matches as a domain name. When I added a leading period to the
domain name in the TXT record:
mailpen.net. 60 TXT "v=spf1 mx +ptr:.verizon.net -all"
Then this first test site performed as I expected, but then the test
validator at spf.pobox.com no longer validated either IP address.
When I sent an eMail to the owner of the first SPF test site, I got the
following response:
I believe that our method is correct --
http://spf.pobox.com/draft-mengwong-spf-00.txt section 4.6 shows that it
should match if the reverse DNS entry ends in "verizon.net".
I found this response incredulous for the following reasons:
1. He claims that his method is correct, when it disagrees with an SPF test
implemented by the author of the RFC on his web page.
2. The section he mentions (4.6), says "Check all validated hostnames to
see if they end in the <target-name> domain." It doesn't say, "see if the
end of the strings match; it says, "[see if the] validated hostnames ..
end in the <target-name> domain". That means to me that you match on the
(entire) domain names, NOT the strings.
3. His interpretation opens up "prefix-spoofing" for spammers who create
domain names that END in popular legit domain names, like "belaol.com" --
who would take that to match "aol.com"? But with his interpretation, it
would, without all <domain-spec>s being prefixed with a period.
4. Section 4.6 of the RFC says:
Pseudocode:
for each name in (validated_sending-host_names) {
if name ends in <domain-spec>, return match.
if name is <domain-spec>, return match.
}
Now, in Appendix A is the BNF for <domain-spec>
domain-spec = domain-name / macro-string
domain-name = domain-part *( '.' domain-part ) [ '.' ]
domain-part = as defined in RFC1034
Notice that there is NO period at the beginning of the domain-spec, as
would be required by his interpretation in order to prevent the kind of
"prefix-spoofing" that I mention above.
5. Look at the examples in Appendix B1; they clearly show domain names
without leading periods.
So, which is the correct way to specify that a valid sender may end in
"verizon.net" but not "dsl-verizon.net"? I don't want to "dump" on the
author of the first SPF test site, as he is trying to provide a valuable
service, but I found his justification of his test methods without any
logical basis.
Sincerely, Dean Gibson
ps: I will increase the TTL on the SPF TXT record when I am done
testing. Any recommendations for the TTL (my normal value is 8 hours)?