spf-discuss
[Top] [All Lists]

Re: mask modifier description

2005-03-26 15:01:19
Stuart D. Gathman wrote:
A mask modifier behaves like an ip4 mechanism would if SPF had included a negation. For instance:

m=-65/8

would be
-ip4:!65/8  # NOTE - ficticious syntax, '!' not in SPF spec

Since it is a modifier, it must also be possible to ignore it without changing the result.
I don't know if Radu intended this, but the mask modifier should also be
position dependent.  If supported by a checker, it should be evaluated
when encountered.  This makes it the responsibility of the SPF compiler or
human record designer to place the modifier appropriately (e.g. after A
and MX mechanisms).  This simplifies checking software.

You got it (*mostly*). For a simple modifier, you are absolutely correct.

But for a slightly more complex one, like "m=-65/8 m=213/8", the "-ip4:!65/8" mechanism would reject an incoming address like 213.0.0.1, which is probably a valid sender.

Please see how the following two are not equivalent for the 213.0.0.1 sender:

"v=spf1 m=-65/8 m=213/8 ip4:65.0.0.1 ip4:213.0.0.1 -all"

and

"v=spf1 -ip4:!65/8 -ip4:!213/8 ip4:65.0.0.1 ip4:213.0.0.1 -all"

This is because mechanisms evaluate one at a time, and there is no notion of grouping them to say "if both mechanisms match than fail". The -include method comes close to allowing this, but unfortunately it the IP list would be long and it also requires an extra query.

Even the -include combined with a syntax like "+ip4:!65/8 +ip4:!213/8"
would not work, because mechanisms cannot give group-wise results.

What you would need is:

   -ip4:!(65/8 or 213/8)

That would be equivalent to the mask modifier.


As for position dependent modifiers, there's been strong oposition in the past, and it has been agreed already that all modifiers are position independent.

Even so, it doesn't mean they are not governed by rules that say when they should be used.

Eg. The redirect modifier is used only after all the mechanisms have been evaluated.
Eg. The exp modifier is used only if the result is 'fail'

It's unfortunate, because a position-dependent evaluation would help a lot, just as you mentioned. Instead, we're left fumbling for a general rule of when it should be applied.

But I'm sure the same kind of fumbling happened for the redirect= modifier.

Regards,
Radu.


<Prev in Thread] Current Thread [Next in Thread>