Checking SPF in PHP

Question

An IT service provider have to write our SPF changes on Internet, I just mail my instructions.

I created a program in PHP to check in one click all my domains, to see if it is correct (sometimes a bad copy-paste include bad characters)

I tried to test the SPF with

if (strpos(strtolower($spf), 'v=spf')

but this doesn't check bad characters

I tried with a preg_match but it's not working

A spf record can contain only these characters [a-z] [0-9] . ? - ~ (space) and must start with v=spf

all other characters must echo "Invalid syntax"

Example:

$spfdata='v=spf1 mx 1.2.3.4 ~all';

if (preg_match('/(v=spf)([a-z0-9-~?.])/i', $spfdata)){
    echo "SPF seems to be ok";
} else {
    echo "Invalid syntax";
}

This doesn't work it always says "ok" even if I type a bad character.

You did not put any quantifier after the character class - so this looks for one single character that matches the class only. And since you did not anchor your pattern to the beginning and end, _anything_ is allowed after that one character. — 04FS, Oct 10 '19 at 13:55
There are PHP libraries to help validate SPF, such as in this question: https://stackoverflow.com/questions/36749957/how-to-validate-spf-records-with-php, why not use one instead of rolling your own? — robsiemb, Oct 10 '19 at 13:56

score 1 · Accepted Answer · answered Oct 12 '19 at 07:53

1

You may use

'/^v=spf[a-z0-9~? .-]+$/i'

Or, if you want to allow any kind of whitespace:

'/^v=spf[a-z0-9~?\s.-]+$/i'

PHP code:

$spfdata='v=spf1 mx 1.2.3.4 ~all';

if (preg_match('/^v=spf[a-z0-9~?\s.-]+$/i', $spfdata)){
    echo "SPF seems to be ok";
} else {
    echo "Invalid syntax";
}

See the PHP demo

The regex matches

^ - start of string
v=spf - a literral text
[a-z0-9~?\s.-]+ - 1+ ASCII letters, digits, ~, ?, whitespaces, . or -
$ - end of string.

answered Oct 12 '19 at 07:53

Wiktor Stribiżew

607,720
39
448
563

Thanks @Wiktor Stribizew in the regex a just remplace the \s by a normal whitespace and also add : and + that I forgot (SPF can contain those characters) – Cyberscooty Oct 12 '19 at 09:03
I had some weird response when spf contain the dash We have to add an escape charactere for the - like so: `'/^v=spf[a-z0-9~?\s.\-]+$/i'` – Cyberscooty Oct 14 '19 at 09:19
Why? What was the exact input? – Wiktor Stribiżew Oct 14 '19 at 09:19
it said Invalid syntax instead of ok the input was something like v=spf1 mx 1.2.3.4 -all (which is valid) – Cyberscooty Oct 14 '19 at 09:21
You should check for any invisible chars at the start/end of the string. – Wiktor Stribiżew Oct 14 '19 at 09:38

score 0 · Answer 2 · answered Oct 12 '19 at 08:54

I don't know why but when I delete the first block (v=spf) the regex seems to be good I tried a lot of differents things and finally this works (I invert the logic with the ^)

So the regex says "if your are NOT in the bracket expression you are ok"

$spfdata='v=spf1 mx 1.2.3.4 ~all';

if (preg_match('#[^a-z0-9 :\+=.\-~\?]#', $spfdata)){
    echo "Invalid syntax";
} else {
    echo "SPF seems to be ok";
}

Checking SPF in PHP

2 Answers2