SPF/term

from HTYP, the free directory anyone can edit if they can prove to me that they're not a spambot
< SPF
Revision as of 14:48, 19 August 2022 by Woozle (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
SPF terms

About

SPF terms are either mechanisms (which are ways of evaluating and return pass/fail) or modifiers (which return additional information but do not evaluate). All terms are separated by spaces.

Mechanisms used by SPF are defined in RFC 7208 Section 5.

Modifiers used by SPF are defined in RFC 7208 Section 6.

Commonly-used argument names:

  • <*-cidr-length>: see cidr-length
  • <domain-spec> defaults to <host domain>.
    • In some cases, this is parsed using the SPF macro language; it's not clear whether this applies to all cases, however.
    • Either way, a domain name without any SPF markup will be interpreted literally (i.e. as you'd expect).
  • <host domain> is the domain whose DNS record we're constructing/examining
    • The RFC calls this the <target-name>).

Terms used in explanations:

  • <sender-ip>: the IP address from which the message is being received
code format meaning
Basic mechanisms:
all all a test that always matches; place as last mechanism in a record to provide an explicit default
include include:<domain-spec> utility is unclear; includes SPF evaluation of the given domain, but not in a systematic way
Designated sender mechanisms:
a a[:<domain-spec>][/<dual-cidr-length>] All the A or AAAA records for <domain-spec> are tested. If <sender-ip> is found among them, this mechanism matches.
  • Use of A or AAAA depends on whether the connection is made over IPv4 or IPv6 respectively.
mx mx[:<domain-spec>][/<dual-cidr-length>] All the A or AAAA records for all the MX records for <domain-spec> are tested in order of MX priority. If <sender-ip> is found among them, this mechanism matches.
  • Use of A or AAAA depends on whether the connection is made over IPv4 or IPv6 respectively.
ptr (do not use[1])

ip4
ip6

ipN[:<ipN-network>][/<ipN-cidr-length>] test whether sender is contained within a given IP network (address range)
  • can also match a specific IP address, apparently
exists exists:<domain-spec> construct a domain name in various ways, and use that for a DNS A record query.
  • This allows for complex/fine-grained examination of the mail envelope to determine what is permitted
  • <domain-spec> is defined in Section 7.
Modifiers:
exp exp=<domain> The given <domain> should have a DNS TXT record (interpreted using SPF's macro language) to get an explanation for FAIL results – typically a URL which is added to the SMTP error code. This feature is rarely used.
redirect redirect=<domain-spec> Replace this SPF record with the SPF record from <domain-spec>.
  • The macro-expanded domain is also substituted for the current domain in those lookups.

Clarification

Where the syntax looks like this --

<term>[:<spec>][/<dual-cidr-length>]

-- valid combinations are:

<term>
<term>/<dual-cidr-length>
<term>:<spec>
<term>:<spec>/<dual-cidr-length>

Links

Footnote

  1. From the RFC (formatting added for clarity): «This mechanism is slow, it is not as reliable as other mechanisms in cases of DNS errors, and it places a large burden on the .arpa name servers. If used, proper PTR records have to be in place for the domain's hosts and the "ptr" mechanism SHOULD be one of the last mechanisms checked. After many years of SPF deployment experience, it has been concluded that it is unnecessary and more reliable alternatives should be used instead. It is, however, still in use as part of the SPF protocol, so compliant check_host() implementations MUST support it.»