spf-discuss
[Top] [All Lists]

RE: SPF Validation Tools - Yet Another One

2005-07-18 10:56:55
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Allyn 
Wade
Sent: Thursday, July 07, 2005 4:03 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: RE: [spf-discuss] SPF Validation Tools - Yet Another One



Scott Kitterman wrote:
One of the frequent problems I've seen with some of the SPF
checking tools
is that they either just do a static validation of the syntax of a record
(and thus miss included domains with no SPF record or DNS lookup errors)
or
they do a full test.  There doesn't appear to be any in between.  So, in
the
spirit of re-inventing the wheel, only hopefully a little better...  here
is
another web page for SPF testing:

http://www.kitterman.com/spf/validate.html

It comes in three parts:

1.  Enter a domain name and the SPF record is loaded and tested
(including
processing limits and non-existent included domains/SPF records).

2.  Enter an SPF record directly and it's tested/validated.

3.  Enter an IP/Mail From/HELO or IP/SPF policy to test against specific
IP
addresses.

This is at best a Beta site at this point and I'd like suggestions (on or
off list, I don't care, but off list certainly for anything not
of general
interest).

Scott K

P.S.  This is using the latest version of the Python SPF library (thanks,
Stuart).  It implements the processing limits and error syntax in the
current draft.

This is a very interesting looking tool!

I tried it for one of the test domains under spf1-test.mailzone.com, which
has a couple of problems, and it did seem to confuse parts of the tool.

For Domain Name I entered "99.spf1-test.mailzone.com", and pressed the "Get
SPF record" button.  Here's what I got:

accepted, querying now...
99.spf1-test.mailzone.com
SPF records are published in DNS as TXT records. The TXT records found for
your domain are:

v=spf1 -all exp=99txt.spf1-test.mailzone.com moo

Checking to see if there is a valid SPF record.

Found SPF record, for: 99.spf1-test.mailzone.com
v=spf1 -all exp=99txt.spf1-test.mailzone.com moo

evaluating...

I gave it a couple of minutes, but it never gave any more output.

I went back to the main page and entered the record directly ("v=spf1 -all
exp=99txt.spf1-test.mailzone.com moo") and pressed the "Check SPF Record"
button.  Same thing:

Input accepted, querying now...
evaluating v=spf1 -all exp=99txt.spf1-test.mailzone.com moo ...

I tried dropping the trailing "moo", but got the same thing again.  Only
when I also dropped the -exp= part, leaving just "v=spf1 -all" did it give
me:

Input accepted, querying now...
evaluating v=spf1 -all ...
SPF record passed validation test with pySPF (Python SPF library)!

I then tried the last section, and got the following:

Input accepted, querying now...

Mail sent from: 192.0.2.33
Mail from (Sender): bob(_at_)99(_dot_)spf1-test(_dot_)mailzone(_dot_)com
Mail checked using this SPF policy: v=spf1 -all
exp=99txt.spf1-test.mailzone.com moo
Results - FAIL Message may be rejected

So it didn't seem to confuse this part of the tool for some reason.

Now I think this is OK (given the ambiguous nature of record evaluation -
the "moo" would cause my SPF implementation to return PermError, but I'm
guessing the python implementation just goes left to right, and never sees
"moo").

The reason I picked on this particular record, is that, apart from the
"moo", it has, indirectly, another slight problem - the TXT record for the
exp= domain (99txt.spf1-test.mailzone.com) contains a syntax error (it uses
an undefined macro letter, "u").

That seems a bit subtle, and I didn't really expect the tool to
notice/care,
but I was just curious.

Cheers,
Allyn

Thanks.  That took a while to get to, but pySPF will now detect the
undefined macro, raise a syntax error, and then ignore the exp string with
the error in it.  That's how I think schlitt-spf-classic-02 says it should
be processed.

We still go right to left and don't detect the moo on the end, but I'm not
sure how important that is...

Scott K