spf-discuss
[Top] [All Lists]

RE: SPF Validation Tools - Yet Another One

2005-07-07 01:02:37

Scott Kitterman wrote:
One of the frequent problems I've seen with some of the SPF checking tools
is that they either just do a static validation of the syntax of a record
(and thus miss included domains with no SPF record or DNS lookup errors)
or
they do a full test.  There doesn't appear to be any in between.  So, in
the
spirit of re-inventing the wheel, only hopefully a little better...  here
is
another web page for SPF testing:

http://www.kitterman.com/spf/validate.html

It comes in three parts:

1.  Enter a domain name and the SPF record is loaded and tested (including
processing limits and non-existent included domains/SPF records).

2.  Enter an SPF record directly and it's tested/validated.

3.  Enter an IP/Mail From/HELO or IP/SPF policy to test against specific
IP
addresses.

This is at best a Beta site at this point and I'd like suggestions (on or
off list, I don't care, but off list certainly for anything not of general
interest).

Scott K

P.S.  This is using the latest version of the Python SPF library (thanks,
Stuart).  It implements the processing limits and error syntax in the
current draft.

This is a very interesting looking tool!

I tried it for one of the test domains under spf1-test.mailzone.com, which
has a couple of problems, and it did seem to confuse parts of the tool.

For Domain Name I entered "99.spf1-test.mailzone.com", and pressed the "Get
SPF record" button.  Here's what I got:

 accepted, querying now...
 99.spf1-test.mailzone.com 
 SPF records are published in DNS as TXT records. The TXT records found for
your domain are:

 v=spf1 -all exp=99txt.spf1-test.mailzone.com moo 

 Checking to see if there is a valid SPF record. 

 Found SPF record, for: 99.spf1-test.mailzone.com 
 v=spf1 -all exp=99txt.spf1-test.mailzone.com moo 

 evaluating...

I gave it a couple of minutes, but it never gave any more output.

I went back to the main page and entered the record directly ("v=spf1 -all
exp=99txt.spf1-test.mailzone.com moo") and pressed the "Check SPF Record"
button.  Same thing:

 Input accepted, querying now...
 evaluating v=spf1 -all exp=99txt.spf1-test.mailzone.com moo ...

I tried dropping the trailing "moo", but got the same thing again.  Only
when I also dropped the -exp= part, leaving just "v=spf1 -all" did it give
me:

 Input accepted, querying now...
 evaluating v=spf1 -all ...
 SPF record passed validation test with pySPF (Python SPF library)!

I then tried the last section, and got the following:

 Input accepted, querying now...

 Mail sent from: 192.0.2.33 
 Mail from (Sender): bob(_at_)99(_dot_)spf1-test(_dot_)mailzone(_dot_)com 
 Mail checked using this SPF policy: v=spf1 -all
exp=99txt.spf1-test.mailzone.com moo 
 Results - FAIL Message may be rejected

So it didn't seem to confuse this part of the tool for some reason.

Now I think this is OK (given the ambiguous nature of record evaluation -
the "moo" would cause my SPF implementation to return PermError, but I'm
guessing the python implementation just goes left to right, and never sees
"moo").

The reason I picked on this particular record, is that, apart from the
"moo", it has, indirectly, another slight problem - the TXT record for the
exp= domain (99txt.spf1-test.mailzone.com) contains a syntax error (it uses
an undefined macro letter, "u").

That seems a bit subtle, and I didn't really expect the tool to notice/care,
but I was just curious.

Cheers,
Allyn