spf-discuss
[Top] [All Lists]

Re: http://www.kitterman.com/spf/validate.html SPF Validation

2005-07-25 19:04:50
In <003401c59178$066a9b00$840cea3c(_at_)lennon2> "Craig Whitmore" 
<lennon(_at_)orcon(_dot_)net(_dot_)nz> writes:

And the kitterman SPF checker passed a few of the domains which should
be invalid. (IMHO)

These Domains are:

albedo.net      text = "v=spf1" "a" "mx" "a:romeo.albedo.net"
"ip4:206.51.22.0/27" "ip4:206.51.27.0/27" "ip4:204.225.112.0/27"
"include:bbs42.com" "-all"

This is, indeed, invalid.  As per section 3.1.3 "If a published record
contains multiple strings, then the record MUST be treated as if those
strings are concatenated together without adding spaces."  See:
http://www.schlitt.net/spf/spf_classic/draft-schlitt-spf-classic-02.html#anchor15

(Is this Valid to do, no one else seems to do it)

Multiple strings can come in handy some times.  It is my understanding
that djbdns automatically splits the strings after 127 characters
(rather than 255 that is required).  This is short enough that you
will run into it periodically.

whereareyounow.com  v=spf1 mx ptr ip4:217.148.33.3/224 -all (invalid
Subnet mask for address)

Correct.  


Again, I suggest using either of the following two regular
expressions to verify records.  They are derived the ABNF from the
spec, so if they are wrong, the ABNF needs to be fixed.  Actually, as
discussed previously, these regular expressions don't do complete
syntax checking of the redirect= and exp= modifiers because they
accept <macro-string> instead of requiring <domain-spec>.

http://www.schlitt.net/spf/tests/spf_record_regexp-03.txt
http://www.schlitt.net/spf/tests/spf_record_extended_regexp-03.txt


The ABNF for SPF records has come a long way.  I now think it is
easier to pull the ABNF and convert it to automated language grammar
parsers, such as yacc/lex, than to do it ad-hoc.


-wayne