SPF not matching

["McDonald, Dan" <Da...@austinenergy.com>]

I'm having trouble with a correspondent who is using SPF, is sending
from a host allowed in policy, but the SPF rule is not matching.

Their spf record (obfuscated) is:
example.com.		3600	IN	TXT	"v=spf1 mx ptr ip4:a.a.a.0/24 ip4:b.b.b.0/24 a:mailrelay a:exchange mx:male.example.com mx:femail -all"

I realize that it is malformed - shouldn't have non FQDN's in the a: or
mx: types, and male.example.com doesn't have an mx record (it is the mx
for 'example.com').  But that being said, those ones that are valid
ought to be recognized.

The message is being sent from a.a.a.11, so the ip4:a.a.a.0/24 record
should match.

I have both the old and new style SPF modules loaded:
[mcdonalddj@sa ~]$ rpm -qa | grep SPF
perl-Mail-SPF-Query-1.997-2mdk
perl-Mail-SPF-2.005-1.1.20060mlcs4


SPF works for other domains:
$ grep -c SPF_PASS /var/log/mail/info
11963
$ grep -c SPF_FAIL /var/log/mail/info
216
$ grep -c SPF_SOFTFAIL /var/log/mail/info
177

A total of 3710 distinct domains passed SPF, if my grep is correct
$ grep SPF_PASS /var/log/mail/info | grep -P -o '<.+?> ->' | cut -d @ -f
2 | cut -d \> -f 1 | sort | uniq | wc
   3710    3710   66125

Any clues?

-- 
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com

Re: SPF not matching

["McDonald, Dan" <Da...@austinenergy.com>]

On Mon, 2008-09-22 at 15:49 +0200, mouss wrote:
> McDonald, Dan wrote:
> > I'm having trouble with a correspondent who is using SPF, is sending
> > from a host allowed in policy, but the SPF rule is not matching.
> > 
> > Their spf record (obfuscated) is:
> > example.com.		3600	IN	TXT	"v=spf1 mx ptr ip4:a.a.a.0/24 ip4:b.b.b.0/24 a:mailrelay a:exchange mx:male.example.com mx:femail -all"

> > Any clues?
> > 
> 
> sure. a.a.a.a is not allowed to send mail. IP addresses may not contain 
> letters.

as I said, I obfuscated it.  There are numbers there, but I didn't want
to publicly shame the offender.

-- 
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com

Re: SPF not matching

[mouss <mo...@netoyen.net>]

McDonald, Dan wrote:
> I'm having trouble with a correspondent who is using SPF, is sending
> from a host allowed in policy, but the SPF rule is not matching.
> 
> Their spf record (obfuscated) is:
> example.com.		3600	IN	TXT	"v=spf1 mx ptr ip4:a.a.a.0/24 ip4:b.b.b.0/24 a:mailrelay a:exchange mx:male.example.com mx:femail -all"
> 
> I realize that it is malformed - shouldn't have non FQDN's in the a: or
> mx: types, and male.example.com doesn't have an mx record (it is the mx
> for 'example.com').  But that being said, those ones that are valid
> ought to be recognized.
> 
> The message is being sent from a.a.a.11, so the ip4:a.a.a.0/24 record
> should match.
> 
> I have both the old and new style SPF modules loaded:
> [mcdonalddj@sa ~]$ rpm -qa | grep SPF
> perl-Mail-SPF-Query-1.997-2mdk
> perl-Mail-SPF-2.005-1.1.20060mlcs4
> 
> 
> SPF works for other domains:
> $ grep -c SPF_PASS /var/log/mail/info
> 11963
> $ grep -c SPF_FAIL /var/log/mail/info
> 216
> $ grep -c SPF_SOFTFAIL /var/log/mail/info
> 177
> 
> A total of 3710 distinct domains passed SPF, if my grep is correct
> $ grep SPF_PASS /var/log/mail/info | grep -P -o '<.+?> ->' | cut -d @ -f
> 2 | cut -d \> -f 1 | sort | uniq | wc
>    3710    3710   66125
> 
> Any clues?
> 

sure. a.a.a.a is not allowed to send mail. IP addresses may not contain 
letters.

Re: SPF not matching

[Martin Gregorie <ma...@gregorie.org>]

> I realize that it is malformed - shouldn't have non FQDN's in the a: or
> mx: types, and male.example.com doesn't have an mx record (it is the mx
> for 'example.com').  But that being said, those ones that are valid
> ought to be recognized.
> 
A gentle suggestion to the SPF owner to visit 

http://www.kitterman.com/spf/validate.html

to validate and fix his SPF record might help both him and you.


Martin

Re: SPF not matching

[Matt Kettler <mk...@verizon.net>]

McDonald, Dan wrote:
> I'm having trouble with a correspondent who is using SPF, is sending
> from a host allowed in policy, but the SPF rule is not matching.
>
> Their spf record (obfuscated) is:
> example.com.		3600	IN	TXT	"v=spf1 mx ptr ip4:a.a.a.0/24 ip4:b.b.b.0/24 a:mailrelay a:exchange mx:male.example.com mx:femail -all"
>
> I realize that it is malformed - shouldn't have non FQDN's in the a: or
> mx: types, and male.example.com doesn't have an mx record (it is the mx
> for 'example.com').  But that being said, those ones that are valid
> ought to be recognized.
>   
Actually, as best I can tell, several popular SPF libraries will just
barf on invalid records.

ie: http://www.kitterman.com/spf/validate.html

Will barf, and refuse to generate a PASS.

(I tried the tester with "v=spf1 mx ptr ip4:1.1.1.0/24 ip4:2.2.2.0/24
a:mailrelay a:exchange mx:male.example.com mx:femail -all" and mail
being from:foo@example.com ip: 1.1.1.11.

I guess the assumption is an invalid SPF record isn't trustworthy at
all, and quite likely created by a spammer, so it should only generate
an error.

Looking at Mail::SPF, it appears to generate an exception
"Mail::SPF::EJunkInRecord" for bad records.