spf-discuss
[Top] [All Lists]

Re: Broken SPF Record?

2005-05-11 04:50:00
...... Original Message .......
On Tue, 10 May 2005 23:09:02 -0500 wayne <wayne(_at_)schlitt(_dot_)net> wrote:
In <20050511024047(_dot_)F3455183C6(_at_)rune(_dot_)listbox(_dot_)com> Scott 
Kitterman 
<spf2(_at_)kitterman(_dot_)com> writes:

...... Original Message .......
On Wed, 11 May 2005 00:32:37 +0200 Julian Mehnle 
<bulk(_at_)mehnle(_dot_)net> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Scott Kitterman wrote:
Is this record broken?

godaddy.com text "v=spf1 a:69.64.33.132 a:66.98.160.100 
a:64.202.160.108
ip4:64.202.167.0/24 ip4:64.202.166.0/24 ip4:64.202.165.0/24
ip4:64.202.163.0/24 ip4:64.202.189.0/24 ~all"

a: with an IP address is a syntax error isn't it?

In the schlitt-spf-classic I-Ds, yes, it is syntax error. 


Syntactically, 69.64.33.132 is a valid domain name.  The record as a 
whole 
is syntactically and semantically correct, although it probably doesn't 
mean what the publisher meant.  Since there is no "132" top-level 
domain, 
"a:69.64.33.132" will yield a lookup result of RCODE 3, thus such an "a" 
mechanism will simply not match, as per the last paragraph of the 
introduction of section 5 in the specification.

The TLDs in SPF records are now restricted in the same way that the
TLDs are restricted in URLs and such.



What apparently happened here is that the publisher erroneously assumed 
the 
"a" mechanism to be for single IP addresses, and the "ip4" mechanism for 
whole blocks of IP addresses.

Does anybody here have a good contact at Godaddy?  If not, I'll report 
it 
through their support channel.

I reported this error almost immediately after GoDaddy first created
their SPF publisher system.  They said they would fix it.  Note that
Microsoft's SPF record publisher used to have the same problem, but I
think they have fixed it.

... dig ... dig ... dig ...

Ah, here is the message I sent them:

Customer - 11/30/2004 01:59 PM
Name:          Wayne Schlitt
Email:         wayne(_at_)schlitt(_dot_)net
Phone #:       402 450-1515
Domain:        spf-classic.com
Customer #:    (not given)
Last 4 of CC#: (not given)

Reseller Id:   GoDaddy
Reseller:      GoDaddy.com

Product:       Total DNS Control

Question:
Hi.

I'm one of the leaders in the SPF email anti-forgery project and I
would like to thank you for your new supporting both TXT records and
for creating SPF records!  I would also like to thank Mike Chadwick of
Go Daddy for his support of SPF at the recent FTC email authentication
summit.

As soon as I saw the PR release, I went in to test it on my
spf-classic.com domain (guess what that domain is used for ;-).
Unfortunately, I found that your SPF wizard has quite a few problems.

First off, it is generating records with the tag of "v=spf2.0/pra".
This is incorrect for both SPF-classic and for whatever Microsoft is
doing with their SenderID records.  It is possible that you picked up
this mistake from Microsoft's SenderID wizard, since they also had
this mistake for a long time.  (They fixed some of their bugs right
before the FTC email authentication summit.)

The correct tag should be "v=spf1".

When I tried to add two items on the A record text box, it incorrectly
formatted the second entry with either a space or a newline, I'm not
sure which.

Finally, I didn't see any place that you could enter an IP address
range, although I may have missed it.  I really didn't test it too
much.


We in the SPF community greatly appreciate the work you have done for
us.  Please contact me if you need any help or clarifications or
anything.  I would certainly be willing to test your wizard more
thoroughly.  I think it is very important that correct SPF records get
published.


-wayne

Looks to me like it's broken in a different way now, so perhaps this is the 
resut of trying to respond to your input.

Would you report this to them?  I'm not even a customer of theirs.  I 
expect you've got a better shot at being heard.

Scott K


<Prev in Thread] Current Thread [Next in Thread>