Difference between revisions of "SPF/term"

from HTYP, the free directory anyone can edit if they can prove to me that they're not a spambot
< SPF
Jump to navigation Jump to search
m (Woozle moved page SPF/mechanism to SPF/term)
(modifiers need to be added)
Line 1: Line 1:
{{fmt/title|SPF mechanisms}}
+
{{fmt/title|SPF terms}}
 
==About==
 
==About==
Mechanisms used by [[../]] are defined in [https://www.rfc-editor.org/rfc/rfc7208.html#section-5 RFC 7208 Section 5]. We'll refer to {the domain to which a DNS record refers} as the {{arg|host domain}} (although the RFC refers to it as {{fmt/xml/tag|target-name}}).
+
SPF terms are either ''mechanisms'' (which are ways of evaluating and return pass/fail) or ''modifiers'' (which return additional information but do not evaluate). All terms are separated by spaces.
  
Mechanisms are separated by spaces.
+
'''Mechanisms''' used by [[../]] are defined in [https://www.rfc-editor.org/rfc/rfc7208.html#section-5 RFC 7208 Section 5].  
  
Commonly-used terms:
+
'''Modifiers''' used by SPF are defined in [https://www.rfc-editor.org/rfc/rfc7208.html#section-6 RFC 7208 Section 6].
* {{fmt/arg|{{l/sub|ip}}}}, aka "the IP"
+
 
 +
Commonly-used argument names:
 
* {{fmt/arg|*-cidr-length}}: see {{l/sub|cidr-length}}
 
* {{fmt/arg|*-cidr-length}}: see {{l/sub|cidr-length}}
* {{arg|domain-spec}} defaults to {{arg|host domain}}.
+
* {{fmt/arg|domain-spec}} defaults to {{arg|host domain}}.
 +
* {{fmt/arg|host domain}} is the domain whose DNS record we're constructing/examining
 +
** The RFC calls this the {{fmt/xml/tag|target-name}}).
 +
* {{fmt/arg|{{l/sub|ip}}}}, aka "the IP": I thought this meant one thing, but now I'm not sure.
 
{| class="wikitable"
 
{| class="wikitable"
 
! code !! format || meaning
 
! code !! format || meaning
 
|-
 
|-
| colspan=3 | '''Basic''':
+
| colspan=3 | '''Basic''' mechanisms:
 
|-
 
|-
 
| <code>all</code>
 
| <code>all</code>
Line 22: Line 26:
 
| utility is unclear; includes SPF evaluation of the given domain, but not in a systematic way
 
| utility is unclear; includes SPF evaluation of the given domain, but not in a systematic way
 
|-
 
|-
| colspan=3 | '''Designated sender''':
+
| colspan=3 | '''Designated sender''' mechanisms:
 
|-
 
|-
 
| <code>a</code>
 
| <code>a</code>
Line 50: Line 54:
 
* This allows for complex/fine-grained examination of the mail envelope to determine what is permitted
 
* This allows for complex/fine-grained examination of the mail envelope to determine what is permitted
 
* {{fmt/arg|domain-spec}} is defined in [https://www.rfc-editor.org/rfc/rfc7208.html#section-7 Section 7].
 
* {{fmt/arg|domain-spec}} is defined in [https://www.rfc-editor.org/rfc/rfc7208.html#section-7 Section 7].
 +
|-
 +
| colspan=3 | '''Modifiers''':
 +
|-
 
|}
 
|}
 
==Footnote==
 
==Footnote==

Revision as of 17:08, 18 August 2022

SPF terms

About

SPF terms are either mechanisms (which are ways of evaluating and return pass/fail) or modifiers (which return additional information but do not evaluate). All terms are separated by spaces.

Mechanisms used by SPF are defined in RFC 7208 Section 5.

Modifiers used by SPF are defined in RFC 7208 Section 6.

Commonly-used argument names:

  • <*-cidr-length>: see cidr-length
  • <domain-spec> defaults to <host domain>.
  • <host domain> is the domain whose DNS record we're constructing/examining
    • The RFC calls this the <target-name>).
  • <ip>, aka "the IP": I thought this meant one thing, but now I'm not sure.
code format meaning
Basic mechanisms:
all all a test that always matches; place as last mechanism in a record to provide an explicit default
include include:<domain-spec> utility is unclear; includes SPF evaluation of the given domain, but not in a systematic way
Designated sender mechanisms:
a a[:<domain-spec>] [ <dual-cidr-length> ] match if <domain-spec> points to one of the <host domain>'s IP addresses
mx mx[:<domain-spec>] [ <dual-cidr-length> ] do an MX lookup on the <host domain>, then look up address for each MX name returned...
  • It's not yet clear what the pass/fail criteria are.
  • Multiple MX mechanisms may be listed.
ptr (do not use[1])

ip4
ip6

ipN[:<ipN-network>] [ <ipN-cidr-length> ] test whether sender is contained within a given IP network
  • can also match a specific IP address, apparently
exists exists:<domain-spec> construct a domain name in various ways, and use that for a DNS A record query.
  • This allows for complex/fine-grained examination of the mail envelope to determine what is permitted
  • <domain-spec> is defined in Section 7.
Modifiers:

Footnote

  1. From the RFC (formatting added for clarity): «This mechanism is slow, it is not as reliable as other mechanisms in cases of DNS errors, and it places a large burden on the .arpa name servers. If used, proper PTR records have to be in place for the domain's hosts and the "ptr" mechanism SHOULD be one of the last mechanisms checked. After many years of SPF deployment experience, it has been concluded that it is unnecessary and more reliable alternatives should be used instead. It is, however, still in use as part of the SPF protocol, so compliant check_host() implementations MUST support it.»
Retrieved from "https://htyp.org/mw/index.php?title=SPF/term&oldid=28459"