Thanks to the kind feedback that we have received from all of you, we were able to locate and fix several technical issues in our web-based SPF Policy Tester. The following is a short summary of changes, in no particular order:
- DNS lookup limit counters for SPF terms (“include”, “a”, “mx”, “ptr”, “exists” and “redirect”) and for void lookups now propagate out from recursive evaluations and are tracked in global counters, limiting the maximum number of queries caused by terms to ten, and the number of void lookups to two – as specified in RFC 7208 (Section 4.6.4).
- The status of the DNS lookup limit counters (for SPF terms and DNS void lookups) is now displayed at the end of each DNS lookup, as well as at the end of the SPF evaluation.
- Similarly to ORF Fusion, the SPF Policy Tester is now capable of retrieving oversized TXT records using the TCP protocol.
Our SPF Syntax Validator and SPF Policy Tester tools have just received a major overhaul and I am happy to report that both services are now fully compliant with the latest RFC7208 version of the SPF standard. Not only that, both services have received full IPv6 support and feature a much improved syntax validator that catches more errors and raises more warnings to help you troubleshoot SPF problems in no time.
SPF Policy Tester in action
Just like the previous versions, the most recent incarnation of our SPF services is powered by Vamsoft’s own SPF client library, the very same one used in our ORF email security product — which means the changes are coming to ORF, too. Stay tuned for the next version!
Gory technical details in the changelog below:
- All SPF services updated to RFC7208 from the previous SPF-C RFC draft version.
- Complete IPv6 support.
- Live evaluation logging.
- Various validation improvements:
- Domain-spec type arguments are now validated during syntax check time, as long as they are macro-free.
- Warning during syntax validation if more than 10 DNS-based SPF terms are used in the policy (RFC 7208, Section 4.6.4 defines a hard limit of 10 such terms during evaluation).
- Extensive logging of error scenarios for the “exp” modifier, including syntax errors, DNS errors.
- Improved IPv4 validation for the “ip4” mechanism: the octal notation of IPv4 addresses is no longer accepted and a hint is offered if the IPv4 address is valid, but does not conform the IPv4 dotted-quad decimal notation.
- Warning when a “redirect” modifier is present somewhere in the string along with an “all” mechanism. In this case, the “redirect” modifier will never be used, because “redirect” is only used when all mechanisms fail to match and “all” always matches.
- A warning is now raised if duplicate mechanisms are found in the policy string.
- Components of variable-length macro-expands are now verified for positional issues (digits, followed by “r”, followed by delimiters).
- Warning during syntax validation if a macro-free domain-spec argument is detected to end with a trailing dot (ambiguous).
- Maximum domain length for extended domain expressions is now enforced.
- Warning raised if the SPF policy length exceeds 450 characters (see RFC 7208, Section 3.4.).
- The expanded “exp” modifier string is now validated for character set and length as per SMTP rules in RFC 5321.
- Various changes as required by the RFC update:
- Unknown mechanisms now trigger an error. Previously, such mechanism only triggered a warning that reaching the unknown mechanism will stop the processing with an error. Fun trivia: there is no such thing as an unknown mechanism as per the RFC, but an unknown/invalid SPF term may look like an SPF mechanism.
- Unescaped “%” in macro-expands are now treated as a syntax error (original RFC required treating them as a literal, RFC 7208 requires it to be treated as syntax error).
- A warning is now raised on the use of the “ptr” mechanism. This mechanism should no longer be published, as explained in RFC 7208, Section 5.5.
- The macro letter ‘r’ is now only allowed in the “exp” modifier (RFC 7208 limitation).
- A warning is now raised on the use of the “p” macro letter. This macro letter should no longer be used.
- RFC change: Trailing dots are now accepted in domain-spec arguments.
- The cidr-length 0 is now allowed by the SPF parser (it wasn’t allowed previously). A cidr-length of 0 is explicitly allowed by the RFC ABNF.
- Cosmetic bugfixes