2

I'm using this reference page... http://www.openspf.org/SPF_Record_Syntax

...but I don't know if I'm interpreting the syntax correctly.

Are the following scenarios correct?

"v=spf1 a -all"

a = check DNS A records of the client
- = fail
all = always match

Scenario 1

  • Email is sent by someone@bank.gov from client 203.0.113.0
  • A record for bank.gov is 203.0.113.0
  • SPF check the A record for the bank.gov, gets a match with client IP and A record, the check passes

Scenario 2

  • Email is sent by spammer@bank.gov from client 192.0.2.0
  • A record for bank.gov is 203.0.113.0
  • SPF check the A record for the bank.gov, client IP and A record DO NOT match, the check fails

Scenario 3

  • Email is sent by person@home.net from client 192.88.99.0
  • There are no DNS records for 192.88.99.0
  • SPF check for an A record for home.net, a match on A record cannot be performed, 'a' mechanism does not, deny all applies, the check fails
Michael Curtis
  • 125
  • 2
    What's the difference between 1 and 2? – Lucio Crusca Oct 24 '18 at 20:34
  • 1
    When using a in the SPF record, your domain must have both A and AAAA records. Whether the record being looked up is A or AAAA depends on the IP address used by the sender, which is outside of your control. Hence you need both in order for your SPF record to be valid. – kasperd Oct 24 '18 at 20:41
  • @LucioCrusca, I was confused. You are right example 1 was redundant. I removed it and renumbered the examples. Thanks. – Michael Curtis Oct 24 '18 at 21:14

1 Answers1

3

Yes, those scenarios are correct.

However, you talk about the "client" ip address. That is not usually what is checked since email is rarely sent directly from a client to the recipient's mail server. The process usually looks more like this:

sender's computer
   -> sender's mail server
      -> recipient's mail server (SPF is checked here)
         -> recipient's computer

SPF is checked by the recipient's mail server, and the IP used in the lookup is the IP address of the current connection. In this case, that would be the sender's mail server.

Another common scenario looks like this:

sender's computer
   -> sender's mail server
      -> sender's mail service provider
         -> recipient's mail server (SPF is checked here)
            -> recipient's computer

In this case, the IP address of the the sender's mail service provider needs to be allowed by the SPF rule.

And taking that a step further:

sender's computer
   -> sender's mail server
      -> sender's mail service provider
         -> recipient's anti-spam mail service provider (SPF is checked here)
            -> recipient's mail server (SPF must not be checked here)
               -> recipient's computer

In this case, the recipient's spam filter does the SPF check because it's the only one that will receive the connection from the sender's mail service provider. If the recipient's mail server tries to validate SPF, it will always fail because it will only ever see the IP address of the anti-spam server.

longneck
  • 23,202
  • thanks for the detailed answer. Re. 'client' what I meant (which I hope is correct) is the client SMTP server sending to recipient's SMTP server. The case I'm troubleshooting is system generated email composed on the same machine that hosts the sending SMTP server. On the recipient's end we probably have all three examples you listed. – Michael Curtis Oct 24 '18 at 21:02