On Thu, 27 Jun 2019, Benoit Panizzon via mailop wrote:
Hi List
Just wondering as I have come across this situation multiple times.
A domain includes an SPF entries which have different 'all' settings.
Which one is valid?
I would have guessed, that an 'include' should never contain the
'all' statement to make it possible for the domain owner to define this.
But for example hosted exchange services often include:
spf-a.outlook.com descriptive text "v=spf1 ip4:157.56.232.0/21 ip4:157.56.240.0/20
ip4:207.46.198.0/25 ip4:207.46.4.128/25 ip4:157.56.24.0/25 ip4:157.55.157.128/25
ip4:157.55.61.0/24 ip4:157.55.49.0/25 ip4:65.55.174.0/25 ip4:65.55.126.0/25
ip4:65.55.113.64/26 ip4:65.55.94.0/25 -all"
I am aware, specifying anything other than '-all' is pretty useless,
but shouldn't the choice remain with the domain owner?
Other company publishing such an include SPF for it's customers.
_spf.synventis.com descriptive text "v=spf1 ip4:213.239.204.153 ip4:78.46.40.142
ip4:78.46.101.176 ip4:5.9.28.36 ~all"
The customer in question specified '-all' in his TXT entry including
the above one.
So which one is valid in the end? Is the first one encountered while
parsing the line or the last one? How are includes processed? After
processing the 'main' entry, or recursively, therefore before?
For RFC7208, section 5.2
In hindsight, the name "include" was poorly chosen. Only the
evaluated result of the referenced SPF record is used, rather than
literally including the mechanisms of the referenced record in the
first. For example, evaluating a "-all" directive in the referenced
record does not terminate the overall processing and does not
necessarily result in an overall "fail". (Better names for this
mechanism would have been "if-match", "on-match", etc.)
In practice this means that any "all" records in the include: are ignored.
--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
