Difference between revisions of "SPF/term"
< SPF
Jump to navigation
Jump to search
m (Woozle moved page SPF/mechanisms to SPF/mechanism without leaving a redirect) |
|||
| Line 5: | Line 5: | ||
Mechanisms are separated by spaces. | Mechanisms are separated by spaces. | ||
| − | Commonly-used terms | + | Commonly-used terms: |
| − | * {{fmt/arg| | + | * {{fmt/arg|{{l/sub|ip}}}}, aka "the IP" |
| + | * {{fmt/arg|*-cidr-length}}: see {{l/sub|cidr-length}} | ||
* {{arg|domain-spec}} defaults to {{arg|host domain}}. | * {{arg|domain-spec}} defaults to {{arg|host domain}}. | ||
{| class="wikitable" | {| class="wikitable" | ||
| Line 19: | Line 20: | ||
| <code>include</code> | | <code>include</code> | ||
| <code>include:{{arg|domain-spec}}</code> | | <code>include:{{arg|domain-spec}}</code> | ||
| − | | utility is unclear; includes evaluation of the given domain, but not in a | + | | utility is unclear; includes SPF evaluation of the given domain, but not in a systematic way |
|- | |- | ||
| colspan=3 | '''Designated sender''': | | colspan=3 | '''Designated sender''': | ||
|- | |- | ||
| <code>a</code> | | <code>a</code> | ||
| − | | a{{fmt/opt|:{{fmt/arg|domain-spec}}}} {{fmt/arg/opt|dual-cidr-length}} | + | | a{{fmt/opt|:{{fmt/arg|domain-spec}}}} {{fmt/arg/opt|dual-{{l/sub|cidr-length}}}} |
| − | | | + | | match if {{arg|domain-spec}} points to one of the {{arg|host domain}}'s IP addresses |
|- | |- | ||
| <code>mx</code> | | <code>mx</code> | ||
| − | | mx{{fmt/opt|:{{fmt/arg|domain-spec}}}} {{fmt/arg/opt|dual-cidr-length}} | + | | mx{{fmt/opt|:{{fmt/arg|domain-spec}}}} {{fmt/arg/opt|dual-{{l/sub|cidr-length}}}} |
| − | | | + | | do an MX lookup on the {{arg|host domain}}, then look up address for each MX name returned... |
* It's not yet clear what the pass/fail criteria are. | * It's not yet clear what the pass/fail criteria are. | ||
* Multiple MX mechanisms may be listed. | * Multiple MX mechanisms may be listed. | ||
| Line 40: | Line 41: | ||
<code>ip4</code><br> | <code>ip4</code><br> | ||
<code>ip6</code> | <code>ip6</code> | ||
| − | | ip''N''{{fmt/opt|:{{fmt/arg|ip''N''-network}}}} {{fmt/arg/opt|ip''N''-cidr-length}} | + | | ip''N''{{fmt/opt|:{{fmt/arg|ip''N''-network}}}} {{fmt/arg/opt|ip''N''-{{l/sub|cidr-length}}}} |
| + | | test whether sender is contained within a given IP network | ||
| + | * can also match a specific IP address, apparently | ||
|- | |- | ||
| <code>exists</code> | | <code>exists</code> | ||
| + | | exists:{{fmt/arg|domain-spec}} | ||
| + | | construct a domain name in various ways, and use that for a DNS A record query. | ||
| + | * This allows for complex/fine-grained examination of the mail envelope to determine what is permitted | ||
| + | * {{fmt/arg|domain-spec}} is defined in [https://www.rfc-editor.org/rfc/rfc7208.html#section-7 Section 7]. | ||
|} | |} | ||
==Footnote== | ==Footnote== | ||
Revision as of 16:36, 18 August 2022
|
SPF mechanisms
|
About
Mechanisms used by SPF are defined in RFC 7208 Section 5. We'll refer to {the domain to which a DNS record refers} as the <host domain> (although the RFC refers to it as <target-name>).
Mechanisms are separated by spaces.
Commonly-used terms:
- <ip>, aka "the IP"
- <*-cidr-length>: see cidr-length
- <domain-spec> defaults to <host domain>.
| code | format | meaning |
|---|---|---|
| Basic: | ||
all
|
all
|
a test that always matches; place as last mechanism in a record to provide an explicit default |
include
|
include:<domain-spec>
|
utility is unclear; includes SPF evaluation of the given domain, but not in a systematic way |
| Designated sender: | ||
a
|
a[:<domain-spec>] [ <dual-cidr-length> ] | match if <domain-spec> points to one of the <host domain>'s IP addresses |
mx
|
mx[:<domain-spec>] [ <dual-cidr-length> ] | do an MX lookup on the <host domain>, then look up address for each MX name returned...
|
|
(do not use[1]) | |
|
|
ipN[:<ipN-network>] [ <ipN-cidr-length> ] | test whether sender is contained within a given IP network
|
exists
|
exists:<domain-spec> | construct a domain name in various ways, and use that for a DNS A record query.
|
Footnote
- ↑ From the RFC (formatting added for clarity): «This mechanism is slow, it is not as reliable as other mechanisms in cases of DNS errors, and it places a large burden on the .arpa name servers. If used, proper PTR records have to be in place for the domain's hosts and the "ptr" mechanism SHOULD be one of the last mechanisms checked. After many years of SPF deployment experience, it has been concluded that it is unnecessary and more reliable alternatives should be used instead. It is, however, still in use as part of the SPF protocol, so compliant check_host() implementations MUST support it.»