Stuart D. Gathman [stuart(_at_)bmsi(_dot_)com] wrote:
My SPF implementation is returning TEMPFAIL: DNS timeout when evaluating
the best guess record "v=spf1 a/24 mx/24 ptr ?all" for STEGMAN.COM.
[...]
The connecting IP was from mx1.atlantech.net at 209.190.212.6, so it
doesn't match the first MX (or the A). Obviously, if this were a real
SPF record, the [TEMPFAIL] result is correct. However, for a guessed
record, it seems to me that a DNS error should result in the mechanism
failing to match instead of a temporary error. Does any other
implementation do this? Is it a good idea?
(Uhm, "tempfail"? Did you mean "temperror" AKA "error"?)
Well, the decision to apply best guess processing is a receiver policy,
thus there is no single "correct" answer. But since the purpose of best
guess processing is to allow "pass" results where otherwise only "none"s
would have been possible, you're probably right that the remaining best
guess mechanisms should be given the chance to produce a "pass" before
resorting to a "temperror" as soon as an "all" mechanism (or the end of
the record) is reached.
This might also generally be a good idea, not just for best guess
processing. But allowing the SPF client to defer "temperror"s must always
err on the side of security, i.e. "temperror"s resulting from non-positive
mechanisms (-foo, ~foo, ?foo) must never be deferred.