5

I want to update and simplify the SPF record of my domain. Unfortunately, http://www.openspf.org/SPF_Record_Syntax is unclear.

My domain uses one MX relay for receiving and sending. The SPF rule is then as simple as this v=spf1 mx -all. This will forbid sending mails from any other sources.

The problem I have is that one user uses it's provider (belgacom.be) for outgoing mail relay. The provider's current SPF rule is the following : v=spf1 mx include:ispmail.spf.secure-mail.be include:bgc.spf.secure-mail.be include:bgcpartners.spf.secure-mail.be ~all

I'm tempted to define my SPF rule as v=spf1 mx include:belgacom.be -all, but it is unclear what the ~all in the included SPF rule will do. The rules included by belgacom.be's rule also have a ~all. Will the ~all in the included rules be considered as a match and will my -all be ignored ?

Edit: Found the testing tool http://www.kitterman.com/spf/validate.html. By adding the include:belgacom.be I get Permanent Error SPF Permanent Error: Too many DNS lookups. The question on the included ~allremains open.

chmike
  • 429
  • 2
  • 5
  • 18
  • 2
    https://tools.ietf.org/html/rfc7208#section-5.2 is pretty clear – Håkan Lindqvist May 07 '17 at 14:10
  • @Håkan Lindqvist The table makes the answer very clear. Thanks for the link. If you provide an answer, I'll validate it. Or I may delete the answer if you prefer. – chmike May 07 '17 at 14:20
  • what about `v=spf1 mx mx:belgacom.be include:ispmail.spf.secure-mail.be include:bgc.spf.secure-mail.be include:bgcpartners.spf.secure-mail.be -all`? Note that you need to regularly check the upstream's SPF records then. – sebix May 07 '17 at 15:36
  • To optimize SPF filtering (avoid DNS queries) I used ip addresses only. I also replaced the mx with my ip4 and ip6 addresses. For belgacom.be I used `ip4:195.238.0.0/19`. This seam good enough. I don't know if they have ipv6 addresses. – chmike May 07 '17 at 16:43
  • Almost the same question: [What does a “-all” do in an included (secondary) SPF record?](https://superuser.com/q/1167143/61370) – pabouk - Ukraine stay strong Sep 05 '18 at 08:20

1 Answers1

6

The include mechanism in SPF is a bit of a misnomer in that it does not actually include the referenced record's contents into the main record.

Instead the referenced record is evaluated separately and its pass/fail result is reinterpreted as the include being a match or a not match (no longer pass/fail!).
(See the conversion table in include section of the SPF spec for all the cases.)

Thus, just like for other mechanisms, it's the optional qualifier prefix (default +) to the include which determines what it actually means when the mechanism matches.

Simple non-include example:

  • ip4:192.0.2.1 (aka +ip4:192.0.2.1) means that if the IPv4 address of the client is 192.0.2.1, then the result is pass.

  • -ip:192.0.2.1 means that if the IPv4 address of the client is 192.0.2.1, then the result is fail.

include example:

  • include:foo.example.com (aka +include:foo.example.com) means that if the evaluation of the SPF record at foo.example.com resulted in pass, this means that the include is a match, so the result is set according to the qualifier of this include, hence pass.
  • -include:foo.example.com means that if the evaluation of the SPF record at foo.example.com resulted in pass, this means that the include is a match, so the result is set according to the qualifier of this include, hence fail.
Community
  • 1
Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94