spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] Updated SPF validator and a new checker

2005-08-27 02:19:27
from [Peter Karsai] [Permanent Link] 
Hi,


The question is whether a UNKNOWN should return a statement:

     "X.X.X.X may send in the name of the domain."

and how receivers should handle "unknowns."


I tried to give a simple explanation here. This service is primarily
intended to be used by our clients (although the version of our ORF
software which supports SPF has not been released yet) and often they
has no deep knowledge of the SPF standard, so I thought a simple
one-sentence explanation could help. For this reason, Neutral, None
and Unknown returns the same message, Fail explains that sender is
explicitly forbidden, SoftFail says the sender may not be able to
send.

I think this is OK as long as there are no SPF clients which blacklist
(or score down) the email on Unknown, Neutral or None. (Interesting:
our testers requested to be able to blacklist email on Neutral due to
the many Neutral policies published -- we resist and do not allow this
option :)
 

I didn't check, does your "show details" show a possible resulting 
"Received-SPF:" header?


No, it does not and neither our SPF client in ORF inserts the
Received-SPF header. This is an optional feature in the standard and
as our software does not "pollute" (I know many will disagree with the
term) the email header unless the user explicitly tell it so
(blacklisting action header/subject tagging), for consistency we do
not generate or insert the Received-SPF header. Check results are
logged in ORF's log, however. The SPF Checker service is intended to
provide more detailed log when a questionnable situation occurs.

  Peter
 

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com



----- Original Message -----
From: "Peter Karsai" <peter(_dot_)karsai(_at_)gmail(_dot_)com>
Newsgroups: spf.-.sender.policy.framework.discussion
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Saturday, August 27, 2005 3:56 AM
Subject: Re: [spf-discuss] Updated SPF validator and a new checker


Hi Hector,

The draft version that our SPF library works with
(http://www.libspf.org/files/spf-draft-200405.txt) says in Section 3.
SPF Record Evaluation that "If an SPF client encounters a syntax error
in an SPF record, it must terminate processing and return a result of
"unknown".".

The library does a reasonaly complete syntax validation on the SPF
policy string before the evaluation to make sure that the policy is OK
and the evaluation will not end with unexpected results. I believe
that we have to be strict on syntax, otherwise we will end up with
something like HTML browsers :)

 Peter

On 8/26/05, Hector Santos <spf-discuss(_at_)winserver(_dot_)com> wrote:

Peter, I ran a few logged SPF results to test against your checker.

For one transaction I got on August 19:

  IP: 199.237.55.172
  CDN:  yes.jcmanagementservices.com
  RPD:  
b-p0ckbcgbhbjd-iaagchg-000-(_at_)msg(_dot_)jcmanagementservices(_dot_)com

The SPF record is:

  v=spf1 mx ptr a include

This results in a PASS because of the MX match.

Your checker indicates:

   "199.237.55.172 may send in the name of the domain."

And the details indicates:

   "SPF policy evaluation finished with SPF Unknown."

I retested this by changing the IP to see how it handled a bad IP.

  IP: 199.237.55.173

and our systems returns a PERMERROR which I think is correct the INCLUDE is 
incorrect.

But your checker says:

  "199.237.55.173 may send in the name of the domain."
  "SPF policy evaluation finished with SPF Unknown."

Shouldn't your checker throw an error on this? Not a pass?

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com


-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription,
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription,
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com



-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] Re: Updated SPF validator and a new checker, Peter Karsai
Next by Date:  [spf-discuss] INCLUDE Statement, Frank Ellermann
Previous by Thread:  Re: [spf-discuss] Updated SPF validator and a new checker, Hector Santos
Next by Thread:  RE: [spf-discuss] Updated SPF validator and a new checker, Herb Martin
Indexes:  [Date] [Thread] [Top] [All Lists]