# This is the openspf.org test suite (release 2009.10) based on RFC 4408.
# http://www.openspf.org/Test_Suite
#
# $Id$
# vim:sw=2 sts=2 et
#
# See rfc4408-tests.CHANGES for a changelog.
#
# Contributors:
# Stuart D Gathman 90% of the tests
# Julian Mehnle some tests, proofread YAML syntax, formal schema
# Frank Ellermann
# Scott Kitterman
# Wayne Schlitt
# Craig Whitmore
# Norman Maurer
# Mark Shewmaker
# Philip Gladstone
#
# While the test suite is designed for all types of implementations, it only
# needs to explicitly concern itself with SPF-only (type 99) and TXT-only
# implementations. This is because while an implementation may support both,
# it must use only one record type for a given query - see 4.5/5. If an
# implementation finds SPF (type 99) records and decides to use them, they
# override TXT, and it must ignore any TXT records. Note that an
# implementation may decide whether to use SPF records on a case by case basis.
# Maybe it looks TXT and SPF up in parallel and goes with the first result to
# come back. Or maybe one is cached already. Or maybe it chooses at random.
# Think of dual SPF/TXT implementations as a quantum superposition of SPF-only
# and TXT-only. It must collapse to one or the other on each observation to be
# compliant.
#
# The "Selecting records" test section is the only one concerned with weeding
# out (incorrect) mixed behaviour and checking for proper response to duplicate
# or conflicting records. Other sections rely on auto-magic duplication
# of SPF to TXT records (by test suite drivers) to test all implementation
# types with one specification.
#
---
description: Initial processing
tests:
toolonglabel:
description: >-
DNS labels limited to 63 chars.
comment: >-
For initial processing, a long label results in None, not TempError
spec: 4.3/1
helo: mail.example.net
host: 1.2.3.5
mailfrom: lyme.eater@A123456789012345678901234567890123456789012345678901234567890123.example.com
result: none
longlabel:
description: >-
DNS labels limited to 63 chars.
spec: 4.3/1
helo: mail.example.net
host: 1.2.3.5
mailfrom: lyme.eater@A12345678901234567890123456789012345678901234567890123456789012.example.com
result: fail
emptylabel:
spec: 4.3/1
helo: mail.example.net
host: 1.2.3.5
mailfrom: lyme.eater@A...example.com
result: none
helo-not-fqdn:
spec: 4.3/1
helo: A2345678
host: 1.2.3.5
mailfrom: ""
result: none
helo-domain-literal:
spec: 4.3/1
helo: "[1.2.3.5]"
host: 1.2.3.5
mailfrom: ""
result: none
nolocalpart:
spec: 4.3/2
helo: mail.example.net
host: 1.2.3.4
mailfrom: '@example.net'
result: fail
explanation: postmaster
domain-literal:
spec: 4.3/1
helo: OEMCOMPUTER
host: 1.2.3.5
mailfrom: "foo@[1.2.3.5]"
result: none
non-ascii-policy:
description: >-
SPF policies are restricted to 7-bit ascii.
spec: 3.1.1/1
helo: hosed
host: 1.2.3.4
mailfrom: "foobar@hosed.example.com"
result: permerror
skip: We don't enforce 7-bit ascii.
non-ascii-mech:
description: >-
SPF policies are restricted to 7-bit ascii.
comment: >-
Checking a possibly different code path for non-ascii chars.
spec: 3.1.1/1
helo: hosed
host: 1.2.3.4
mailfrom: "foobar@hosed2.example.com"
result: permerror
skip: We don't enforce 7-bit ascii.
non-ascii-result:
description: >-
SPF policies are restricted to 7-bit ascii.
comment: >-
Checking yet another code path for non-ascii chars.
spec: 3.1.1/1
helo: hosed
host: 1.2.3.4
mailfrom: "foobar@hosed3.example.com"
result: permerror
non-ascii-non-spf:
description: >-
Non-ascii content in non-SPF related records.
comment: >-
Non-SPF related TXT records are none of our business. (But what about SPF records?)
spec: 3.1.1/1
helo: hosed
host: 1.2.3.4
mailfrom: "foobar@nothosed.example.com"
result: fail
explanation: DEFAULT
two-spaces:
description: >-
ABNF for term separation is one or more spaces, not just one.
spec: 4.6.1
helo: hosed
host: 1.2.3.4
mailfrom: "actually@fine.example.com"
result: fail
zonedata:
example.com:
- TIMEOUT: true
example.net:
- SPF: v=spf1 -all exp=exp.example.net
a.example.net:
- SPF: v=spf1 -all exp=exp.example.net
exp.example.net:
- TXT: '%{l}'
a12345678901234567890123456789012345678901234567890123456789012.example.com:
- SPF: v=spf1 -all
hosed.example.com:
- SPF: "v=spf1 a:\xEF\xBB\xBFgarbage.example.net -all"
hosed2.example.com:
- SPF: "v=spf1 \x80a:example.net -all"
hosed3.example.com:
- SPF: "v=spf1 a:example.net \x96all"
nothosed.example.com:
- SPF: "v=spf1 a:example.net -all"
- SPF: "\x96"
fine.example.com:
- TXT: "v=spf1 a -all"
---
description: Record lookup
tests:
both:
spec: 4.4/1
helo: mail.example.net
host: 1.2.3.4
mailfrom: foo@both.example.net
result: fail
txtonly:
description: Result is none if checking SPF records only.
spec: 4.4/1
helo: mail.example.net
host: 1.2.3.4
mailfrom: foo@txtonly.example.net
result: [fail, none]
spfonly:
description: Result is none if checking TXT records only.
spec: 4.4/1
helo: mail.example.net
host: 1.2.3.4
mailfrom: foo@spfonly.example.net
result: [fail, none]
spftimeout:
description: >-
TXT record present, but SPF lookup times out.
Result is temperror if checking SPF records only.
comment: >-
This actually happens for a popular braindead DNS server.
spec: 4.4/1
helo: mail.example.net
host: 1.2.3.4
mailfrom: foo@spftimeout.example.net
result: [fail, temperror]
txttimeout:
description: >-
SPF record present, but TXT lookup times out.
If only TXT records are checked, result is temperror.
spec: 4.4/1
helo: mail.example.net
host: 1.2.3.4
mailfrom: foo@txttimeout.example.net
result: [fail, temperror]
nospftxttimeout:
description: >-
No SPF record present, and TXT lookup times out.
If only TXT records are checked, result is temperror.
comment: >-
Because TXT records is where v=spf1 records will likely be, returning
temperror will try again later. A timeout due to a braindead server
is unlikely in the case of TXT, as opposed to the newer SPF RR.
spec: 4.4/1
helo: mail.example.net
host: 1.2.3.4
mailfrom: foo@nospftxttimeout.example.net
result: [temperror, none]
alltimeout:
description: Both TXT and SPF queries time out
spec: 4.4/2
helo: mail.example.net
host: 1.2.3.4
mailfrom: foo@alltimeout.example.net
result: temperror
zonedata:
both.example.net:
- TXT: v=spf1 -all
- SPF: v=spf1 -all
txtonly.example.net:
- TXT: v=spf1 -all
spfonly.example.net:
- SPF: v=spf1 -all
- TXT: NONE
spftimeout.example.net:
- TXT: v=spf1 -all
- TIMEOUT: true
txttimeout.example.net:
- SPF: v=spf1 -all
- TXT: NONE
- TIMEOUT: true
nospftxttimeout.example.net:
- SPF: "v=spf3 !a:yahoo.com -all"
- TXT: NONE
- TIMEOUT: true
alltimeout.example.net:
- TIMEOUT: true
---
description: Selecting records
tests:
nospace1:
description: >-
Version must be terminated by space or end of record. TXT pieces
are joined without intervening spaces.
spec: 4.5/4
helo: mail.example1.com
host: 1.2.3.4
mailfrom: foo@example2.com
result: none
empty:
description: Empty SPF record.
spec: 4.5/4
helo: mail1.example1.com
host: 1.2.3.4
mailfrom: foo@example1.com
result: neutral
nospace2:
spec: 4.5/4
helo: mail.example1.com
host: 1.2.3.4
mailfrom: foo@example3.com
result: pass
spfoverride:
description: >-
SPF records override TXT records. Older implementation may
check TXT records only.
spec: 4.5/5
helo: mail.example1.com
host: 1.2.3.4
mailfrom: foo@example4.com
result: [pass, fail]
multitxt1:
description: >-
Older implementations will give permerror/unknown because of
the conflicting TXT records. However, RFC 4408 says the SPF
records overrides them.
spec: 4.5/5
helo: mail.example1.com
host: 1.2.3.4
mailfrom: foo@example5.com
result: [pass, permerror]
multitxt2:
description: >-
Multiple records is a permerror, v=spf1 is case insensitive
spec: 4.5/6
helo: mail.example1.com
host: 1.2.3.4
mailfrom: foo@example6.com
result: permerror
multispf1:
description: >-
Multiple records is a permerror, even when they are identical.
However, this situation cannot be reliably reproduced with live
DNS since cache and resolvers are allowed to combine identical
records.
spec: 4.5/6
helo: mail.example1.com
host: 1.2.3.4
mailfrom: foo@example7.com
result: [permerror, fail]
multispf2:
description: >-
Older implementations ignoring SPF-type records will give pass because
there is a (single) TXT record. But RFC 4408 requires permerror because
the SPF records override and there are more than one.
spec: 4.5/6
helo: mail.example1.com
host: 1.2.3.4
mailfrom: foo@example8.com
result: [permerror, pass]
nospf:
spec: 4.5/7
helo: mail.example1.com
host: 1.2.3.4
mailfrom: foo@mail.example1.com
result: none
case-insensitive:
description: >-
v=spf1 is case insensitive
spec: 4.5/6
helo: mail.example1.com
host: 1.2.3.4
mailfrom: foo@example9.com
result: softfail
zonedata:
example3.com:
- SPF: v=spf10
- SPF: v=spf1 mx
- MX: [0, mail.example1.com]
example1.com:
- SPF: v=spf1
example2.com:
- SPF: ['v=spf1', 'mx']
mail.example1.com:
- A: 1.2.3.4
example4.com:
- SPF: v=spf1 +all
- TXT: v=spf1 -all
example5.com:
- SPF: v=spf1 +all
- TXT: v=spf1 -all
- TXT: v=spf1 +all
example6.com:
- SPF: v=spf1 -all
- SPF: V=sPf1 +all
example7.com:
- SPF: v=spf1 -all
- SPF: v=spf1 -all
example8.com:
- SPF: V=spf1 -all
- SPF: v=spf1 -all
- TXT: v=spf1 +all
example9.com:
- SPF: v=SpF1 ~all
---
description: Record evaluation
tests:
detect-errors-anywhere:
description: Any syntax errors anywhere in the record MUST be detected.
spec: 4.6
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@t1.example.com
result: permerror
skip: We don't catch errors after a match.
modifier-charset-good:
description: name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." )
spec: 4.6.1/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@t2.example.com
result: pass
skip: We don't enforce the domain charset.
modifier-charset-bad1:
description: >-
'=' character immediately after the name and before any ":" or "/"
spec: 4.6.1/4
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@t3.example.com
result: permerror
modifier-charset-bad2:
description: >-
'=' character immediately after the name and before any ":" or "/"
spec: 4.6.1/4
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@t4.example.com
result: permerror
redirect-after-mechanisms1:
description: >-
The "redirect" modifier has an effect after all the mechanisms.
comment: >-
The redirect in this example would violate processing limits, except
that it is never used because of the all mechanism.
spec: 4.6.3
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@t5.example.com
result: softfail
redirect-after-mechanisms2:
description: >-
The "redirect" modifier has an effect after all the mechanisms.
spec: 4.6.3
helo: mail.example.com
host: 1.2.3.5
mailfrom: foo@t6.example.com
result: fail
skip: Not worth the complexity of erroring on this.
default-result:
description: Default result is neutral.
spec: 4.7/1
helo: mail.example.com
host: 1.2.3.5
mailfrom: foo@t7.example.com
result: neutral
redirect-is-modifier:
description: |-
Invalid mechanism. Redirect is a modifier.
spec: 4.6.1/4
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@t8.example.com
result: permerror
skip: We don't catch errors after a match.
invalid-domain:
description: >-
Domain-spec must end in macro-expand or valid toplabel.
spec: 8.1/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@t9.example.com
result: permerror
skip: We don't enforce TLD structure.
invalid-domain-empty-label:
description: >-
target-name that is a valid domain-spec per RFC 4408 but an invalid
domain name per RFC 1035 (empty label) must be treated as non-existent.
comment: >-
An empty domain label, i.e. two successive dots, in a mechanism
target-name is valid domain-spec syntax, even though a DNS query cannot
be composed from it. The spec being unclear about it, this could either
be considered a syntax error, or, by analogy to 4.3/1 and 5/10/3, the
mechanism chould be treated as a no-match.
spec: [4.3/1, 5/10/3]
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@t10.example.com
result: [permerror, fail]
invalid-domain-long:
description: >-
target-name that is a valid domain-spec per RFC 4408 but an invalid
domain name per RFC 1035 (long label) must be treated as non-existent.
comment: >-
A domain label longer than 63 characters in a mechanism target-name is
valid domain-spec syntax, even though a DNS query cannot be composed
from it. The spec being unclear about it, this could either be
considered a syntax error, or, by analogy to 4.3/1 and 5/10/3, the
mechanism chould be treated as a no-match.
spec: [4.3/1, 5/10/3]
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@t11.example.com
result: [permerror,fail]
invalid-domain-long-via-macro:
description: >-
target-name that is a valid domain-spec per RFC 4408 but an invalid
domain name per RFC 1035 (long label) must be treated as non-existent.
comment: >-
A domain label longer than 63 characters that results from macro
expansion in a mechanism target-name is valid domain-spec syntax (and is
not even subject to syntax checking after macro expansion), even though
a DNS query cannot be composed from it. The spec being unclear about
it, this could either be considered a syntax error, or, by analogy to
4.3/1 and 5/10/3, the mechanism chould be treated as a no-match.
spec: [4.3/1, 5/10/3]
helo: "%%%%%%%%%%%%%%%%%%%%%%"
host: 1.2.3.4
mailfrom: foo@t12.example.com
result: [permerror,fail]
zonedata:
mail.example.com:
- A: 1.2.3.4
t1.example.com:
- SPF: v=spf1 ip4:1.2.3.4 -all moo
t2.example.com:
- SPF: v=spf1 moo.cow-far_out=man:dog/cat ip4:1.2.3.4 -all
t3.example.com:
- SPF: v=spf1 moo.cow/far_out=man:dog/cat ip4:1.2.3.4 -all
t4.example.com:
- SPF: v=spf1 moo.cow:far_out=man:dog/cat ip4:1.2.3.4 -all
t5.example.com:
- SPF: v=spf1 redirect=t5.example.com ~all
t6.example.com:
- SPF: v=spf1 ip4:1.2.3.4 redirect=t2.example.com
t7.example.com:
- SPF: v=spf1 ip4:1.2.3.4
t8.example.com:
- SPF: v=spf1 ip4:1.2.3.4 redirect:t2.example.com
t9.example.com:
- SPF: v=spf1 a:foo-bar -all
t10.example.com:
- SPF: v=spf1 a:mail.example...com -all
t11.example.com:
- SPF: v=spf1 a:a123456789012345678901234567890123456789012345678901234567890123.example.com -all
t12.example.com:
- SPF: v=spf1 a:%{H}.bar -all
---
description: ALL mechanism syntax
tests:
all-dot:
description: |
all = "all"
comment: |-
At least one implementation got this wrong
spec: 5.1/1
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e1.example.com
result: permerror
all-arg:
description: |
all = "all"
comment: |-
At least one implementation got this wrong
spec: 5.1/1
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e2.example.com
result: permerror
all-cidr:
description: |
all = "all"
spec: 5.1/1
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e3.example.com
result: permerror
all-neutral:
description: |
all = "all"
spec: 5.1/1
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e4.example.com
result: neutral
all-double:
description: |
all = "all"
spec: 5.1/1
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e5.example.com
result: pass
zonedata:
mail.example.com:
- A: 1.2.3.4
e1.example.com:
- SPF: v=spf1 -all.
e2.example.com:
- SPF: v=spf1 -all:foobar
e3.example.com:
- SPF: v=spf1 -all/8
e4.example.com:
- SPF: v=spf1 ?all
e5.example.com:
- SPF: v=spf1 all -all
---
description: PTR mechanism syntax
tests:
ptr-cidr:
description: |-
PTR = "ptr" [ ":" domain-spec ]
spec: 5.5/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e1.example.com
result: permerror
ptr-match-target:
description: >-
Check all validated domain names to see if they end in the <target-name>
domain.
spec: 5.5/5
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e2.example.com
result: pass
ptr-match-implicit:
description: >-
Check all validated domain names to see if they end in the <target-name>
domain.
spec: 5.5/5
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e3.example.com
result: pass
ptr-nomatch-invalid:
description: >-
Check all validated domain names to see if they end in the <target-name>
domain.
comment: >-
This PTR record does not validate
spec: 5.5/5
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e4.example.com
result: fail
ptr-match-ip6:
description: >-
Check all validated domain names to see if they end in the <target-name>
domain.
spec: 5.5/5
helo: mail.example.com
host: CAFE:BABE::1
mailfrom: foo@e3.example.com
result: pass
ptr-empty-domain:
description: >-
domain-spec cannot be empty.
spec: 5.5/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e5.example.com
result: permerror
zonedata:
mail.example.com:
- A: 1.2.3.4
e1.example.com:
- SPF: v=spf1 ptr/0 -all
e2.example.com:
- SPF: v=spf1 ptr:example.com -all
4.3.2.1.in-addr.arpa:
- PTR: e3.example.com
- PTR: e4.example.com
- PTR: mail.example.com
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.E.B.A.B.E.F.A.C.ip6.arpa:
- PTR: e3.example.com
e3.example.com:
- SPF: v=spf1 ptr -all
- A: 1.2.3.4
- AAAA: CAFE:BABE::1
e4.example.com:
- SPF: v=spf1 ptr -all
e5.example.com:
- SPF: "v=spf1 ptr:"
---
description: A mechanism syntax
tests:
a-cidr6:
description: |
A = "a" [ ":" domain-spec ] [ dual-cidr-length ]
dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ]
spec: 5.3/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e6.example.com
result: fail
a-bad-cidr4:
description: |
A = "a" [ ":" domain-spec ] [ dual-cidr-length ]
dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ]
spec: 5.3/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e6a.example.com
result: permerror
a-bad-cidr6:
description: |
A = "a" [ ":" domain-spec ] [ dual-cidr-length ]
dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ]
spec: 5.3/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e7.example.com
result: permerror
a-dual-cidr-ip4-match:
description: |
A = "a" [ ":" domain-spec ] [ dual-cidr-length ]
dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ]
spec: 5.3/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e8.example.com
result: pass
a-dual-cidr-ip4-err:
description: |
A = "a" [ ":" domain-spec ] [ dual-cidr-length ]
dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ]
spec: 5.3/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e8e.example.com
result: permerror
a-dual-cidr-ip6-match:
description: |
A = "a" [ ":" domain-spec ] [ dual-cidr-length ]
dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ]
spec: 5.3/2
helo: mail.example.com
host: 2001:db8:1234::cafe:babe
mailfrom: foo@e8.example.com
result: pass
a-dual-cidr-ip4-default:
description: |
A = "a" [ ":" domain-spec ] [ dual-cidr-length ]
dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ]
spec: 5.3/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e8b.example.com
result: fail
a-dual-cidr-ip6-default:
description: |
A = "a" [ ":" domain-spec ] [ dual-cidr-length ]
dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ]
spec: 5.3/2
helo: mail.example.com
host: 2001:db8:1234::cafe:babe
mailfrom: foo@e8a.example.com
result: fail
a-multi-ip1:
description: >-
A matches any returned IP.
spec: 5.3/3
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e10.example.com
result: pass
a-multi-ip2:
description: >-
A matches any returned IP.
spec: 5.3/3
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e10.example.com
result: pass
a-bad-domain:
description: >-
domain-spec must pass basic syntax checks;
a ':' may appear in domain-spec, but not in top-label
spec: 8.1/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e9.example.com
result: permerror
skip: We don't enforce domain charset.
a-nxdomain:
description: >-
If no ips are returned, A mechanism does not match, even with /0.
spec: 5.3/3
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e1.example.com
result: fail
a-cidr4-0:
description: >-
Matches if any A records are present in DNS.
spec: 5.3/3
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e2.example.com
result: pass
a-cidr4-0-ip6:
description: >-
Matches if any A records are present in DNS.
spec: 5.3/3
helo: mail.example.com
host: 1234::1
mailfrom: foo@e2.example.com
result: fail
a-cidr6-0-ip4:
description: >-
Would match if any AAAA records are present in DNS,
but not for an IP4 connection.
spec: 5.3/3
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e2a.example.com
result: fail
a-cidr6-0-ip4mapped:
description: >-
Would match if any AAAA records are present in DNS,
but not for an IP4 connection.
spec: 5.3/3
helo: mail.example.com
host: ::FFFF:1.2.3.4
mailfrom: foo@e2a.example.com
result: fail
a-cidr6-0-ip6:
description: >-
Matches if any AAAA records are present in DNS.
spec: 5.3/3
helo: mail.example.com
host: 1234::1
mailfrom: foo@e2a.example.com
result: pass
a-ip6-dualstack:
description: >-
Simple IP6 Address match with dual stack.
spec: 5.3/3
helo: mail.example.com
host: 1234::1
mailfrom: foo@ipv6.example.com
result: pass
a-cidr6-0-nxdomain:
description: >-
No match if no AAAA records are present in DNS.
spec: 5.3/3
helo: mail.example.com
host: 1234::1
mailfrom: foo@e2b.example.com
result: fail
a-null:
description: >-
Null octets not allowed in toplabel
spec: 8.1/2
helo: mail.example.com
host: 1.2.3.5
mailfrom: foo@e3.example.com
result: permerror
skip: We don't enforce charset.
a-numeric:
description: >-
toplabel may not be all numeric
comment: >-
A common publishing mistake is using ip4 addresses with A mechanism.
This should receive special diagnostic attention in the permerror.
spec: 8.1/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e4.example.com
result: permerror
skip: We don't enforce domain structure.
a-numeric-toplabel:
description: >-
toplabel may not be all numeric
spec: 8.1/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e5.example.com
result: permerror
skip: We don't enforce TLD structure.
a-dash-in-toplabel:
description: >-
toplabel may contain dashes
comment: >-
Going from the "toplabel" grammar definition, an implementation using
regular expressions in incrementally parsing SPF records might
erroneously try to match a TLD such as ".xn--zckzah" (cf. IDN TLDs!) to
'( *alphanum ALPHA *alphanum )' first before trying the alternative
'( 1*alphanum "-" *( alphanum / "-" ) alphanum )', essentially causing
a non-greedy, and thus, incomplete match. Make sure a greedy match is
performed!
spec: 8.1/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e14.example.com
result: pass
a-bad-toplabel:
description: >-
toplabel may not begin with a dash
spec: 8.1/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e12.example.com
result: permerror
skip: We don't enforce TLD structure.
a-only-toplabel:
description: >-
domain-spec may not consist of only a toplabel.
spec: 8.1/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e5a.example.com
result: permerror
skip: We don't enforce TLD structure.
a-only-toplabel-trailing-dot:
description: >-
domain-spec may not consist of only a toplabel.
comment: >-
"A trailing dot doesn't help."
spec: 8.1/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e5b.example.com
result: permerror
skip: We don't enforce TLD structure.
a-colon-domain:
description: >-
domain-spec may contain any visible char except %
spec: 8.1/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e11.example.com
result: pass
skip: Allowing / in domain names is not worth the complexity
a-colon-domain-ip4mapped:
description: >-
domain-spec may contain any visible char except %
spec: 8.1/2
helo: mail.example.com
host: ::FFFF:1.2.3.4
mailfrom: foo@e11.example.com
result: pass
skip: Allowing / in domain names is not worth the complexity
a-empty-domain:
description: >-
domain-spec cannot be empty.
spec: 5.3/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e13.example.com
result: permerror
skip: Not worth the complexity of erroring on this.
zonedata:
mail.example.com:
- A: 1.2.3.4
e1.example.com:
- SPF: v=spf1 a/0 -all
e2.example.com:
- A: 1.1.1.1
- AAAA: 1234::2
- SPF: v=spf1 a/0 -all
e2a.example.com:
- AAAA: 1234::1
- SPF: v=spf1 a//0 -all
e2b.example.com:
- A: 1.1.1.1
- SPF: v=spf1 a//0 -all
ipv6.example.com:
- AAAA: 1234::1
- A: 1.1.1.1
- SPF: v=spf1 a -all
e3.example.com:
- SPF: "v=spf1 a:foo.example.com\0"
e4.example.com:
- SPF: v=spf1 a:111.222.33.44
e5.example.com:
- SPF: v=spf1 a:abc.123
e5a.example.com:
- SPF: v=spf1 a:museum
e5b.example.com:
- SPF: v=spf1 a:museum.
e6.example.com:
- SPF: v=spf1 a//33 -all
e6a.example.com:
- SPF: v=spf1 a/33 -all
e7.example.com:
- SPF: v=spf1 a//129 -all
e8.example.com:
- A: 1.2.3.5
- AAAA: 2001:db8:1234::dead:beef
- SPF: v=spf1 a/24//64 -all
e8e.example.com:
- A: 1.2.3.5
- AAAA: 2001:db8:1234::dead:beef
- SPF: v=spf1 a/24/64 -all
e8a.example.com:
- A: 1.2.3.5
- AAAA: 2001:db8:1234::dead:beef
- SPF: v=spf1 a/24 -all
e8b.example.com:
- A: 1.2.3.5
- AAAA: 2001:db8:1234::dead:beef
- SPF: v=spf1 a//64 -all
e9.example.com:
- SPF: v=spf1 a:example.com:8080
e10.example.com:
- SPF: v=spf1 a:foo.example.com/24
foo.example.com:
- A: 1.1.1.1
- A: 1.2.3.5
e11.example.com:
- SPF: v=spf1 a:foo:bar/baz.example.com
foo:bar/baz.example.com:
- A: 1.2.3.4
e12.example.com:
- SPF: v=spf1 a:example.-com
e13.example.com:
- SPF: "v=spf1 a:"
e14.example.com:
- SPF: "v=spf1 a:foo.example.xn--zckzah -all"
foo.example.xn--zckzah:
- A: 1.2.3.4
---
description: Include mechanism semantics and syntax
tests:
include-fail:
description: >-
recursive check_host() result of fail causes include to not match.
spec: 5.2/9
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e1.example.com
result: softfail
include-softfail:
description: >-
recursive check_host() result of softfail causes include to not match.
spec: 5.2/9
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e2.example.com
result: pass
include-neutral:
description: >-
recursive check_host() result of neutral causes include to not match.
spec: 5.2/9
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e3.example.com
result: fail
include-temperror:
description: >-
recursive check_host() result of temperror causes include to temperror
spec: 5.2/9
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e4.example.com
result: temperror
include-permerror:
description: >-
recursive check_host() result of permerror causes include to permerror
spec: 5.2/9
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e5.example.com
result: permerror
include-syntax-error:
description: >-
include = "include" ":" domain-spec
spec: 5.2/1
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e6.example.com
result: permerror
include-cidr:
description: >-
include = "include" ":" domain-spec
spec: 5.2/1
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e9.example.com
result: permerror
include-none:
description: >-
recursive check_host() result of none causes include to permerror
spec: 5.2/9
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e7.example.com
result: permerror
include-empty-domain:
description: >-
domain-spec cannot be empty.
spec: 5.2/1
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e8.example.com
result: permerror
zonedata:
mail.example.com:
- A: 1.2.3.4
ip5.example.com:
- SPF: v=spf1 ip4:1.2.3.5 -all
ip6.example.com:
- SPF: v=spf1 ip4:1.2.3.6 ~all
ip7.example.com:
- SPF: v=spf1 ip4:1.2.3.7 ?all
ip8.example.com:
- TIMEOUT: true
erehwon.example.com:
- TXT: v=spfl am not an SPF record
e1.example.com:
- SPF: v=spf1 include:ip5.example.com ~all
e2.example.com:
- SPF: v=spf1 include:ip6.example.com all
e3.example.com:
- SPF: v=spf1 include:ip7.example.com -all
e4.example.com:
- SPF: v=spf1 include:ip8.example.com -all
e5.example.com:
- SPF: v=spf1 include:e6.example.com -all
e6.example.com:
- SPF: v=spf1 include +all
e7.example.com:
- SPF: v=spf1 include:erehwon.example.com -all
e8.example.com:
- SPF: "v=spf1 include: -all"
e9.example.com:
- SPF: "v=spf1 include:ip5.example.com/24 -all"
---
description: MX mechanism syntax
tests:
mx-cidr6:
description: |
MX = "mx" [ ":" domain-spec ] [ dual-cidr-length ]
dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ]
spec: 5.4/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e6.example.com
result: fail
mx-bad-cidr4:
description: |
MX = "mx" [ ":" domain-spec ] [ dual-cidr-length ]
dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ]
spec: 5.4/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e6a.example.com
result: permerror
mx-bad-cidr6:
description: |
MX = "mx" [ ":" domain-spec ] [ dual-cidr-length ]
dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ]
spec: 5.4/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e7.example.com
result: permerror
mx-multi-ip1:
description: >-
MX matches any returned IP.
spec: 5.4/3
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e10.example.com
result: pass
mx-multi-ip2:
description: >-
MX matches any returned IP.
spec: 5.4/3
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e10.example.com
result: pass
mx-bad-domain:
description: >-
domain-spec must pass basic syntax checks
comment: >-
A ':' may appear in domain-spec, but not in top-label.
spec: 8.1/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e9.example.com
result: permerror
skip: We don't enforce domain syntax.
mx-nxdomain:
description: >-
If no ips are returned, MX mechanism does not match, even with /0.
spec: 5.4/3
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e1.example.com
result: fail
mx-cidr4-0:
description: >-
Matches if any A records for any MX records are present in DNS.
spec: 5.4/3
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e2.example.com
result: pass
mx-cidr4-0-ip6:
description: >-
cidr4 doesn't apply to IP6 connections.
spec: 5.4/3
helo: mail.example.com
host: 1234::1
mailfrom: foo@e2.example.com
result: fail
mx-cidr6-0-ip4:
description: >-
Would match if any AAAA records for MX records are present in DNS,
but not for an IP4 connection.
spec: 5.4/3
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e2a.example.com
result: fail
mx-cidr6-0-ip4mapped:
description: >-
Would match if any AAAA records for MX records are present in DNS,
but not for an IP4 connection.
spec: 5.4/3
helo: mail.example.com
host: ::FFFF:1.2.3.4
mailfrom: foo@e2a.example.com
result: fail
mx-cidr6-0-ip6:
description: >-
Matches if any AAAA records for any MX records are present in DNS.
spec: 5.3/3
helo: mail.example.com
host: 1234::1
mailfrom: foo@e2a.example.com
result: pass
mx-cidr6-0-nxdomain:
description: >-
No match if no AAAA records for any MX records are present in DNS.
spec: 5.4/3
helo: mail.example.com
host: 1234::1
mailfrom: foo@e2b.example.com
result: fail
mx-null:
description: >-
Null not allowed in top-label.
spec: 8.1/2
helo: mail.example.com
host: 1.2.3.5
mailfrom: foo@e3.example.com
result: permerror
skip: We don't enforce charset.
mx-numeric-top-label:
description: >-
Top-label may not be all numeric
spec: 8.1/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e5.example.com
result: permerror
skip: We don't validate top-level domains.
mx-colon-domain:
description: >-
Domain-spec may contain any visible char except %
spec: 8.1/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e11.example.com
result: pass
skip: Allowing / in domain names is not worth the complexity
mx-colon-domain-ip4mapped:
description: >-
Domain-spec may contain any visible char except %
spec: 8.1/2
helo: mail.example.com
host: ::FFFF:1.2.3.4
mailfrom: foo@e11.example.com
result: pass
skip: Allowing / in domain names is not worth the complexity
mx-bad-toplab:
description: >-
Toplabel may not begin with -
spec: 8.1/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e12.example.com
result: permerror
skip: We don't enforce TLD structure.
mx-empty:
description: >-
test null MX
comment: >-
Some implementations have had trouble with null MX
spec: 5.4/3
helo: mail.example.com
host: 1.2.3.4
mailfrom: ""
result: neutral
mx-implicit:
description: >-
If the target name has no MX records, check_host() MUST NOT pretend the
target is its single MX, and MUST NOT default to an A lookup on the
target-name directly.
spec: 5.4/4
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e4.example.com
result: neutral
mx-empty-domain:
description: >-
domain-spec cannot be empty.
spec: 5.2/1
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e13.example.com
result: permerror
skip: Not worth the complexity of erroring on this.
zonedata:
mail.example.com:
- A: 1.2.3.4
- MX: [0, ""]
- SPF: v=spf1 mx
e1.example.com:
- SPF: v=spf1 mx/0 -all
- MX: [0, e1.example.com]
e2.example.com:
- A: 1.1.1.1
- AAAA: 1234::2
- MX: [0, e2.example.com]
- SPF: v=spf1 mx/0 -all
e2a.example.com:
- AAAA: 1234::1
- MX: [0, e2a.example.com]
- SPF: v=spf1 mx//0 -all
e2b.example.com:
- A: 1.1.1.1
- MX: [0, e2b.example.com]
- SPF: v=spf1 mx//0 -all
e3.example.com:
- SPF: "v=spf1 mx:foo.example.com\0"
e4.example.com:
- SPF: v=spf1 mx
- A: 1.2.3.4
e5.example.com:
- SPF: v=spf1 mx:abc.123
e6.example.com:
- SPF: v=spf1 mx//33 -all
e6a.example.com:
- SPF: v=spf1 mx/33 -all
e7.example.com:
- SPF: v=spf1 mx//129 -all
e9.example.com:
- SPF: v=spf1 mx:example.com:8080
e10.example.com:
- SPF: v=spf1 mx:foo.example.com/24
foo.example.com:
- MX: [0, foo1.example.com]
foo1.example.com:
- A: 1.1.1.1
- A: 1.2.3.5
e11.example.com:
- SPF: v=spf1 mx:foo:bar/baz.example.com
foo:bar/baz.example.com:
- MX: [0, "foo:bar/baz.example.com"]
- A: 1.2.3.4
e12.example.com:
- SPF: v=spf1 mx:example.-com
e13.example.com:
- SPF: "v=spf1 mx: -all"
---
description: EXISTS mechanism syntax
tests:
exists-empty-domain:
description: >-
domain-spec cannot be empty.
spec: 5.7/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e1.example.com
result: permerror
exists-implicit:
description: >-
exists = "exists" ":" domain-spec
spec: 5.7/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e2.example.com
result: permerror
exists-cidr:
description: >-
exists = "exists" ":" domain-spec
spec: 5.7/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e3.example.com
result: permerror
exists-ip4:
description: >-
mechanism matches if any DNS A RR exists
spec: 5.7/3
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e4.example.com
result: pass
exists-ip6:
description: >-
The lookup type is A even when the connection is ip6
spec: 5.7/3
helo: mail.example.com
host: CAFE:BABE::3
mailfrom: foo@e4.example.com
result: pass
exists-ip6only:
description: >-
The lookup type is A even when the connection is ip6
spec: 5.7/3
helo: mail.example.com
host: CAFE:BABE::3
mailfrom: foo@e5.example.com
result: fail
exists-dnserr:
description: >-
Result for DNS error is being clarified in spfbis
spec: 5.7/3
helo: mail.example.com
host: CAFE:BABE::3
mailfrom: foo@e6.example.com
result: [fail, temperror]
zonedata:
mail.example.com:
- A: 1.2.3.4
mail6.example.com:
- AAAA: CAFE:BABE::4
err.example.com:
- TIMEOUT: true
e1.example.com:
- SPF: "v=spf1 exists:"
e2.example.com:
- SPF: "v=spf1 exists"
e3.example.com:
- SPF: "v=spf1 exists:mail.example.com/24"
e4.example.com:
- SPF: "v=spf1 exists:mail.example.com"
e5.example.com:
- SPF: "v=spf1 exists:mail6.example.com -all"
e6.example.com:
- SPF: "v=spf1 exists:err.example.com -all"
---
description: IP4 mechanism syntax
tests:
cidr4-0:
description: >-
ip4-cidr-length = "/" 1*DIGIT
spec: 5.6/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e1.example.com
result: pass
cidr4-32:
description: >-
ip4-cidr-length = "/" 1*DIGIT
spec: 5.6/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e2.example.com
result: pass
cidr4-33:
description: >-
Invalid CIDR should get permerror.
comment: >-
The RFC is silent on ip4 CIDR > 32 or ip6 CIDR > 128. However,
since there is no reasonable interpretation (except a noop), we have
read between the lines to see a prohibition on invalid CIDR.
spec: 5.6/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e3.example.com
result: permerror
cidr4-032:
description: >-
Invalid CIDR should get permerror.
comment: >-
Leading zeros are not explicitly prohibited by the RFC. However,
since the RFC explicity prohibits leading zeros in ip4-network,
our interpretation is that CIDR should be also.
spec: 5.6/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e4.example.com
result: permerror
skip: It's not clear this is problematic.
bare-ip4:
description: >-
IP4 = "ip4" ":" ip4-network [ ip4-cidr-length ]
spec: 5.6/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e5.example.com
result: permerror
bad-ip4-port:
description: >-
IP4 = "ip4" ":" ip4-network [ ip4-cidr-length ]
comment: >-
This has actually been published in SPF records.
spec: 5.6/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e8.example.com
result: permerror
bad-ip4-short:
description: >-
It is not permitted to omit parts of the IP address instead of
using CIDR notations.
spec: 5.6/4
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e9.example.com
result: permerror
ip4-dual-cidr:
description: >-
dual-cidr-length not permitted on ip4
spec: 5.6/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e6.example.com
result: permerror
ip4-mapped-ip6:
description: >-
IP4 mapped IP6 connections MUST be treated as IP4
spec: 5/9/2
helo: mail.example.com
host: ::FFFF:1.2.3.4
mailfrom: foo@e7.example.com
result: fail
zonedata:
mail.example.com:
- A: 1.2.3.4
e1.example.com:
- SPF: v=spf1 ip4:1.1.1.1/0 -all
e2.example.com:
- SPF: v=spf1 ip4:1.2.3.4/32 -all
e3.example.com:
- SPF: v=spf1 ip4:1.2.3.4/33 -all
e4.example.com:
- SPF: v=spf1 ip4:1.2.3.4/032 -all
e5.example.com:
- SPF: v=spf1 ip4
e6.example.com:
- SPF: v=spf1 ip4:1.2.3.4//32
e7.example.com:
- SPF: v=spf1 -ip4:1.2.3.4 ip6:::FFFF:1.2.3.4
e8.example.com:
- SPF: v=spf1 ip4:1.2.3.4:8080
e9.example.com:
- SPF: v=spf1 ip4:1.2.3
---
description: IP6 mechanism syntax
comment: >-
IP4 only implementations may skip tests where host is not IP4
tests:
bare-ip6:
description: >-
IP6 = "ip6" ":" ip6-network [ ip6-cidr-length ]
spec: 5.6/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e1.example.com
result: permerror
skip: There's an early match.
cidr6-0-ip4:
description: >-
IP4 connections do not match ip6.
comment: >-
There is controversy over ip4 mapped connections. RFC4408 clearly
requires such connections to be considered as ip4. However,
some interpret the RFC to mean that such connections should *also*
match appropriate ip6 mechanisms (but not, inexplicably, A or MX
mechanisms). Until there is consensus, both
results are acceptable.
spec: 5/9/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e2.example.com
result: [neutral, pass]
cidr6-ip4:
description: >-
Even if the SMTP connection is via IPv6, an IPv4-mapped IPv6 IP address
(see RFC 3513, Section 2.5.5) MUST still be considered an IPv4 address.
comment: >-
There is controversy over ip4 mapped connections. RFC4408 clearly
requires such connections to be considered as ip4. However,
some interpret the RFC to mean that such connections should *also*
match appropriate ip6 mechanisms (but not, inexplicably, A or MX
mechanisms). Until there is consensus, both
results are acceptable.
spec: 5/9/2
helo: mail.example.com
host: ::FFFF:1.2.3.4
mailfrom: foo@e2.example.com
result: [neutral, pass]
cidr6-0:
description: >-
Match any IP6
spec: 5/8
helo: mail.example.com
host: DEAF:BABE::CAB:FEE
mailfrom: foo@e2.example.com
result: pass
cidr6-129:
description: >-
Invalid CIDR
comment: >-
IP4 only implementations MUST fully syntax check all mechanisms,
even if they otherwise ignore them.
spec: 5.6/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e3.example.com
result: permerror
cidr6-bad:
description: >-
dual-cidr syntax not used for ip6
comment: >-
IP4 only implementations MUST fully syntax check all mechanisms,
even if they otherwise ignore them.
spec: 5.6/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e4.example.com
result: permerror
cidr6-33:
description: >-
make sure ip4 cidr restriction are not used for ip6
spec: 5.6/2
helo: mail.example.com
host: "CAFE:BABE:8000::"
mailfrom: foo@e5.example.com
result: pass
cidr6-33-ip4:
description: >-
make sure ip4 cidr restriction are not used for ip6
spec: 5.6/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e5.example.com
result: neutral
ip6-bad1:
description: >-
spec: 5.6/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e6.example.com
result: permerror
zonedata:
mail.example.com:
- A: 1.2.3.4
e1.example.com:
- SPF: v=spf1 -all ip6
e2.example.com:
- SPF: v=spf1 ip6:::1.1.1.1/0
e3.example.com:
- SPF: v=spf1 ip6:::1.1.1.1/129
e4.example.com:
- SPF: v=spf1 ip6:::1.1.1.1//33
e5.example.com:
- SPF: v=spf1 ip6:CAFE:BABE:8000::/33
e6.example.com:
- SPF: v=spf1 ip6::CAFE::BABE
---
description: Semantics of exp and other modifiers
comment: >-
Implementing exp= is optional. If not implemented, the test driver should
not check the explanation field.
tests:
redirect-none:
description: >-
If no SPF record is found, or if the target-name is malformed, the result
is a "PermError" rather than "None".
spec: 6.1/4
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e10.example.com
result: permerror
redirect-cancels-exp:
description: >-
when executing "redirect", exp= from the original domain MUST NOT be used.
spec: 6.2/13
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e1.example.com
result: fail
explanation: DEFAULT
redirect-syntax-error:
description: |
redirect = "redirect" "=" domain-spec
comment: >-
A literal application of the grammar causes modifier syntax
errors (except for macro syntax) to become unknown-modifier.
modifier = explanation | redirect | unknown-modifier
However, it is generally agreed, with precedent in other RFCs,
that unknown-modifier should not be "greedy", and should not
match known modifier names. There should have been explicit
prose to this effect, and some has been proposed as an erratum.
spec: 6.1/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e17.example.com
result: permerror
skip: We don't enforce charset within the redirect.
include-ignores-exp:
description: >-
when executing "include", exp= from the target domain MUST NOT be used.
spec: 6.2/13
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e7.example.com
result: fail
explanation: Correct!
redirect-cancels-prior-exp:
description: >-
when executing "redirect", exp= from the original domain MUST NOT be used.
spec: 6.2/13
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e3.example.com
result: fail
explanation: See me.
invalid-modifier:
description: |
unknown-modifier = name "=" macro-string
name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." )
comment: >-
Unknown modifier name must begin with alpha.
spec: A/3
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e5.example.com
result: permerror
empty-modifier-name:
description: |
name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." )
comment: >-
Unknown modifier name must not be empty.
spec: A/3
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e6.example.com
result: permerror
dorky-sentinel:
description: >-
An implementation that uses a legal expansion as a sentinel. We
cannot check them all, but we can check this one.
comment: >-
Spaces are allowed in local-part.
spec: 8.1/6
helo: mail.example.com
host: 1.2.3.4
mailfrom: "Macro Error@e8.example.com"
result: fail
explanation: Macro Error in implementation
exp-multiple-txt:
description: |
Ignore exp if multiple TXT records.
comment: >-
If domain-spec is empty, or there are any DNS processing errors (any
RCODE other than 0), or if no records are returned, or if more than one
record is returned, or if there are syntax errors in the explanation
string, then proceed as if no exp modifier was given.
spec: 6.2/4
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e11.example.com
result: fail
explanation: DEFAULT
exp-no-txt:
description: |
Ignore exp if no TXT records.
comment: >-
If domain-spec is empty, or there are any DNS processing errors (any
RCODE other than 0), or if no records are returned, or if more than one
record is returned, or if there are syntax errors in the explanation
string, then proceed as if no exp modifier was given.
spec: 6.2/4
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e22.example.com
result: fail
explanation: DEFAULT
exp-dns-error:
description: |
Ignore exp if DNS error.
comment: >-
If domain-spec is empty, or there are any DNS processing errors (any
RCODE other than 0), or if no records are returned, or if more than one
record is returned, or if there are syntax errors in the explanation
string, then proceed as if no exp modifier was given.
spec: 6.2/4
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e21.example.com
result: fail
explanation: DEFAULT
exp-empty-domain:
description: |
PermError if exp= domain-spec is empty.
comment: >-
Section 6.2/4 says, "If domain-spec is empty, or there are any DNS
processing errors (any RCODE other than 0), or if no records are
returned, or if more than one record is returned, or if there are syntax
errors in the explanation string, then proceed as if no exp modifier was
given." However, "if domain-spec is empty" conflicts with the grammar
given for the exp modifier. This was reported as an erratum, and the
solution chosen was to report explicit "exp=" as PermError, but ignore
problems due to macro expansion, DNS, or invalid explanation string.
spec: 6.2/4
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e12.example.com
result: permerror
skip: We ignore exp, and is harmless.
explanation-syntax-error:
description: |
Ignore exp if the explanation string has a syntax error.
comment: >-
If domain-spec is empty, or there are any DNS processing errors (any
RCODE other than 0), or if no records are returned, or if more than one
record is returned, or if there are syntax errors in the explanation
string, then proceed as if no exp modifier was given.
spec: 6.2/4
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e13.example.com
result: fail
explanation: DEFAULT
exp-syntax-error:
description: |
explanation = "exp" "=" domain-spec
comment: >-
A literal application of the grammar causes modifier syntax
errors (except for macro syntax) to become unknown-modifier.
modifier = explanation | redirect | unknown-modifier
However, it is generally agreed, with precedent in other RFCs,
that unknown-modifier should not be "greedy", and should not
match known modifier names. There should have been explicit
prose to this effect, and some has been proposed as an erratum.
spec: 6.2/1
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e16.example.com
result: permerror
skip: We don't enforce exp values.
exp-twice:
description: |
exp= appears twice.
comment: >-
These two modifiers (exp,redirect) MUST NOT appear in a record more than
once each. If they do, then check_host() exits with a result of
"PermError".
spec: 6/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e14.example.com
result: permerror
skip: We ignore exp, and is harmless.
redirect-empty-domain:
description: |
redirect = "redirect" "=" domain-spec
comment: >-
Unlike for exp, there is no instruction to override the permerror
for an empty domain-spec (which is invalid syntax).
spec: 6.2/4
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e18.example.com
result: permerror
skip: There's an early match.
redirect-twice:
description: |
redirect= appears twice.
comment: >-
These two modifiers (exp,redirect) MUST NOT appear in a record more than
once each. If they do, then check_host() exits with a result of
"PermError".
spec: 6/2
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e15.example.com
result: permerror
unknown-modifier-syntax:
description: |
unknown-modifier = name "=" macro-string
comment: >-
Unknown modifiers must have valid macro syntax.
spec: A/3
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e9.example.com
result: permerror
skip: There's an early match.
default-modifier-obsolete:
description: |
Unknown modifiers do not modify the RFC SPF result.
comment: >-
Some implementations may have a leftover default= modifier from
earlier drafts.
spec: 6/3
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e19.example.com
result: neutral
skip: Not worth the complexity of erroring on this.
default-modifier-obsolete2:
description: |
Unknown modifiers do not modify the RFC SPF result.
comment: >-
Some implementations may have a leftover default= modifier from
earlier drafts.
spec: 6/3
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e20.example.com
result: neutral
skip: Not worth the complexity of erroring on this.
non-ascii-exp:
description: >-
SPF explanation text is restricted to 7-bit ascii.
comment: >-
Checking a possibly different code path for non-ascii chars.
spec: 6.2/5
helo: hosed
host: 1.2.3.4
mailfrom: "foobar@nonascii.example.com"
result: fail
explanation: DEFAULT
two-exp-records:
description: >-
Must ignore exp= if DNS returns more than one TXT record.
spec: 6.2/4
helo: hosed
host: 1.2.3.4
mailfrom: "foobar@tworecs.example.com"
result: fail
explanation: DEFAULT
zonedata:
mail.example.com:
- A: 1.2.3.4
e1.example.com:
- SPF: v=spf1 exp=exp1.example.com redirect=e2.example.com
e2.example.com:
- SPF: v=spf1 -all
e3.example.com:
- SPF: v=spf1 exp=exp1.example.com redirect=e4.example.com
e4.example.com:
- SPF: v=spf1 -all exp=exp2.example.com
exp1.example.com:
- TXT: No-see-um
exp2.example.com:
- TXT: See me.
exp3.example.com:
- TXT: Correct!
exp4.example.com:
- TXT: "%{l} in implementation"
e5.example.com:
- SPF: v=spf1 1up=foo
e6.example.com:
- SPF: v=spf1 =all
e7.example.com:
- SPF: v=spf1 include:e3.example.com -all exp=exp3.example.com
e8.example.com:
- SPF: v=spf1 -all exp=exp4.example.com
e9.example.com:
- SPF: v=spf1 -all foo=%abc
e10.example.com:
- SPF: v=spf1 redirect=erehwon.example.com
e11.example.com:
- SPF: v=spf1 -all exp=e11msg.example.com
e11msg.example.com:
- TXT: Answer a fool according to his folly.
- TXT: Do not answer a fool according to his folly.
e12.example.com:
- SPF: v=spf1 exp= -all
e13.example.com:
- SPF: v=spf1 exp=e13msg.example.com -all
e13msg.example.com:
- TXT: The %{x}-files.
e14.example.com:
- SPF: v=spf1 exp=e13msg.example.com -all exp=e11msg.example.com
e15.example.com:
- SPF: v=spf1 redirect=e12.example.com -all redirect=e12.example.com
e16.example.com:
- SPF: v=spf1 exp=-all
e17.example.com:
- SPF: v=spf1 redirect=-all ?all
e18.example.com:
- SPF: v=spf1 ?all redirect=
e19.example.com:
- SPF: v=spf1 default=pass
e20.example.com:
- SPF: "v=spf1 default=+"
e21.example.com:
- SPF: v=spf1 exp=e21msg.example.com -all
e21msg.example.com:
- TIMEOUT: true
e22.example.com:
- SPF: v=spf1 exp=mail.example.com -all
nonascii.example.com:
- SPF: v=spf1 exp=badexp.example.com -all
badexp.example.com:
- TXT: "\xEF\xBB\xBFExplanation"
tworecs.example.com:
- SPF: v=spf1 exp=twoexp.example.com -all
twoexp.example.com:
- TXT: "one"
- TXT: "two"
---
description: Macro expansion rules
tests:
trailing-dot-domain:
spec: 8.1/16
description: >-
trailing dot is ignored for domains
helo: msgbas2x.cos.example.com
host: 192.168.218.40
mailfrom: test@example.com
result: pass
trailing-dot-exp:
spec: 8.1
description: >-
trailing dot is not removed from explanation
comment: >-
A simple way for an implementation to ignore trailing dots on
domains is to remove it when present. But be careful not to
remove it for explanation text.
helo: msgbas2x.cos.example.com
host: 192.168.218.40
mailfrom: test@exp.example.com
result: fail
explanation: This is a test.
exp-only-macro-char:
spec: 8.1/8
description: >-
The following macro letters are allowed only in "exp" text: c, r, t
helo: msgbas2x.cos.example.com
host: 192.168.218.40
mailfrom: test@e2.example.com
result: permerror
skip: We ignore exp, and is harmless.
invalid-macro-char:
spec: 8.1/9
description: >-
A '%' character not followed by a '{', '%', '-', or '_' character
is a syntax error.
helo: msgbas2x.cos.example.com
host: 192.168.218.40
mailfrom: test@e1.example.com
result: permerror
invalid-embedded-macro-char:
spec: 8.1/9
description: >-
A '%' character not followed by a '{', '%', '-', or '_' character
is a syntax error.
helo: msgbas2x.cos.example.com
host: 192.168.218.40
mailfrom: test@e1e.example.com
result: permerror
invalid-trailing-macro-char:
spec: 8.1/9
description: >-
A '%' character not followed by a '{', '%', '-', or '_' character
is a syntax error.
helo: msgbas2x.cos.example.com
host: 192.168.218.40
mailfrom: test@e1t.example.com
result: permerror
macro-mania-in-domain:
description: >-
macro-encoded percents (%%), spaces (%_), and URL-percent-encoded
spaces (%-)
spec: 8.1/3, 8.1/4
helo: mail.example.com
host: 1.2.3.4
mailfrom: test@e1a.example.com
result: pass
exp-txt-macro-char:
spec: 8.1/20
description: >-
For IPv4 addresses, both the "i" and "c" macros expand
to the standard dotted-quad format.
helo: msgbas2x.cos.example.com
host: 192.168.218.40
mailfrom: test@e3.example.com
result: fail
explanation: Connections from 192.168.218.40 not authorized.
domain-name-truncation:
spec: 8.1/25
description: >-
When the result of macro expansion is used in a domain name query, if the
expanded domain name exceeds 253 characters, the left side is truncated
to fit, by removing successive domain labels until the total length does
not exceed 253 characters.
helo: msgbas2x.cos.example.com
host: 192.168.218.40
mailfrom: test@somewhat.long.exp.example.com
result: fail
explanation: Congratulations! That was tricky.
v-macro-ip4:
spec: 8.1/6
description: |-
v = the string "in-addr" if <ip> is ipv4, or "ip6" if <ip> is ipv6
helo: msgbas2x.cos.example.com
host: 192.168.218.40
mailfrom: test@e4.example.com
result: fail
explanation: 192.168.218.40 is queried as 40.218.168.192.in-addr.arpa
v-macro-ip6:
spec: 8.1/6
description: |-
v = the string "in-addr" if <ip> is ipv4, or "ip6" if <ip> is ipv6
helo: msgbas2x.cos.example.com
host: CAFE:BABE::1
mailfrom: test@e4.example.com
result: fail
explanation: cafe:babe::1 is queried as 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.E.B.A.B.E.F.A.C.ip6.arpa
undef-macro:
spec: 8.1/6
description: >-
Allowed macros chars are 'slodipvh' plus 'crt' in explanation.
helo: msgbas2x.cos.example.com
host: CAFE:BABE::192.168.218.40
mailfrom: test@e5.example.com
result: permerror
p-macro-ip4-novalid:
spec: 8.1/22
description: |-
p = the validated domain name of <ip>
comment: >-
The PTR in this example does not validate.
helo: msgbas2x.cos.example.com
host: 192.168.218.40
mailfrom: test@e6.example.com
result: fail
explanation: connect from unknown
p-macro-ip4-valid:
spec: 8.1/22
description: |-
p = the validated domain name of <ip>
comment: >-
If a subdomain of the <domain> is present, it SHOULD be used.
helo: msgbas2x.cos.example.com
host: 192.168.218.41
mailfrom: test@e6.example.com
result: fail
explanation: connect from mx.example.com
p-macro-ip6-novalid:
spec: 8.1/22
description: |-
p = the validated domain name of <ip>
comment: >-
The PTR in this example does not validate.
helo: msgbas2x.cos.example.com
host: CAFE:BABE::1
mailfrom: test@e6.example.com
result: fail
explanation: connect from unknown
p-macro-ip6-valid:
spec: 8.1/22
description: |-
p = the validated domain name of <ip>
comment: >-
If a subdomain of the <domain> is present, it SHOULD be used.
helo: msgbas2x.cos.example.com
host: CAFE:BABE::3
mailfrom: test@e6.example.com
result: fail
explanation: connect from mx.example.com
p-macro-multiple:
spec: 8.1/22
description: |-
p = the validated domain name of <ip>
comment: >-
If a subdomain of the <domain> is present, it SHOULD be used.
helo: msgbas2x.cos.example.com
host: 192.168.218.42
mailfrom: test@e7.example.com
result: [pass, softfail]
skip: p macro is not supported
upper-macro:
spec: 8.1/26
description: >-
Uppercased macros expand exactly as their lowercased equivalents,
and are then URL escaped.
helo: msgbas2x.cos.example.com
host: 192.168.218.42
mailfrom: jack&jill=up@e8.example.com
result: fail
explanation: http://example.com/why.html?l=jack%26jill%3Dup
hello-macro:
spec: 8.1/6
description: |-
h = HELO/EHLO domain
helo: msgbas2x.cos.example.com
host: 192.168.218.40
mailfrom: test@e9.example.com
result: pass
skip: We don't have a HELO-explicit mode.
invalid-hello-macro:
spec: 8.1/2
description: |-
h = HELO/EHLO domain, but HELO is invalid
comment: >-
Domain-spec must end in either a macro, or a valid toplabel.
It is not correct to check syntax after macro expansion.
helo: "JUMPIN' JUPITER"
host: 192.168.218.40
mailfrom: test@e9.example.com
result: fail
hello-domain-literal:
spec: 8.1/2
description: |-
h = HELO/EHLO domain, but HELO is a domain literal
comment: >-
Domain-spec must end in either a macro, or a valid toplabel.
It is not correct to check syntax after macro expansion.
helo: "[192.168.218.40]"
host: 192.168.218.40
mailfrom: test@e9.example.com
result: fail
require-valid-helo:
spec: 8.1/6
description: >-
Example of requiring valid helo in sender policy. This is a complex
policy testing several points at once.
helo: OEMCOMPUTER
host: 1.2.3.4
mailfrom: test@e10.example.com
result: fail
macro-reverse-split-on-dash:
spec: [8.1/15, 8.1/16, 8.1/17, 8.1/18]
description: >-
Macro value transformation (splitting on arbitrary characters, reversal,
number of right-hand parts to use)
helo: mail.example.com
host: 1.2.3.4
mailfrom: philip-gladstone-test@e11.example.com
result: pass
macro-multiple-delimiters:
spec: [8.1/15, 8.1/16]
description: |-
Multiple delimiters may be specified in a macro expression.
macro-expand = ( "%{" macro-letter transformers *delimiter "}" )
/ "%%" / "%_" / "%-"
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo-bar+zip+quux@e12.example.com
result: pass
zonedata:
example.com.d.spf.example.com:
- SPF: v=spf1 redirect=a.spf.example.com
a.spf.example.com:
- SPF: v=spf1 include:o.spf.example.com. ~all
o.spf.example.com:
- SPF: v=spf1 ip4:192.168.218.40
msgbas2x.cos.example.com:
- A: 192.168.218.40
example.com:
- A: 192.168.90.76
- SPF: v=spf1 redirect=%{d}.d.spf.example.com.
exp.example.com:
- SPF: v=spf1 exp=msg.example.com. -all
msg.example.com:
- TXT: This is a test.
e1.example.com:
- SPF: v=spf1 -exists:%(ir).sbl.example.com ?all
e1e.example.com:
- SPF: v=spf1 exists:foo%(ir).sbl.example.com ?all
e1t.example.com:
- SPF: v=spf1 exists:foo%.sbl.example.com ?all
e1a.example.com:
- SPF: "v=spf1 a:macro%%percent%_%_space%-url-space.example.com -all"
"macro%percent space%20url-space.example.com":
- A: 1.2.3.4
e2.example.com:
- SPF: v=spf1 -all exp=%{r}.example.com
e3.example.com:
- SPF: v=spf1 -all exp=%{ir}.example.com
40.218.168.192.example.com:
- TXT: Connections from %{c} not authorized.
somewhat.long.exp.example.com:
- SPF: v=spf1 -all exp=foobar.%{o}.%{o}.%{o}.%{o}.%{o}.%{o}.%{o}.%{o}.example.com
somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.example.com:
- TXT: Congratulations! That was tricky.
e4.example.com:
- SPF: v=spf1 -all exp=e4msg.example.com
e4msg.example.com:
- TXT: "%{c} is queried as %{ir}.%{v}.arpa"
e5.example.com:
- SPF: v=spf1 a:%{a}.example.com -all
e6.example.com:
- SPF: v=spf1 -all exp=e6msg.example.com
e6msg.example.com:
- TXT: "connect from %{p}"
mx.example.com:
- A: 192.168.218.41
- A: 192.168.218.42
- AAAA: CAFE:BABE::2
- AAAA: CAFE:BABE::3
40.218.168.192.in-addr.arpa:
- PTR: mx.example.com
41.218.168.192.in-addr.arpa:
- PTR: mx.example.com
42.218.168.192.in-addr.arpa:
- PTR: mx.example.com
- PTR: mx.e7.example.com
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.E.B.A.B.E.F.A.C.ip6.arpa:
- PTR: mx.example.com
3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.E.B.A.B.E.F.A.C.ip6.arpa:
- PTR: mx.example.com
mx.e7.example.com:
- A: 192.168.218.42
mx.e7.example.com.should.example.com:
- A: 127.0.0.2
mx.example.com.ok.example.com:
- A: 127.0.0.2
e7.example.com:
- SPF: v=spf1 exists:%{p}.should.example.com ~exists:%{p}.ok.example.com
e8.example.com:
- SPF: v=spf1 -all exp=msg8.%{D2}
msg8.example.com:
- TXT: "http://example.com/why.html?l=%{L}"
e9.example.com:
- SPF: v=spf1 a:%{H} -all
e10.example.com:
- SPF: v=spf1 -include:_spfh.%{d2} ip4:1.2.3.0/24 -all
_spfh.example.com:
- SPF: v=spf1 -a:%{h} +all
e11.example.com:
- SPF: v=spf1 exists:%{i}.%{l2r-}.user.%{d2}
1.2.3.4.gladstone.philip.user.example.com:
- A: 127.0.0.2
e12.example.com:
- SPF: v=spf1 exists:%{l2r+-}.user.%{d2}
bar.foo.user.example.com:
- A: 127.0.0.2
---
description: Processing limits
tests:
redirect-loop:
description: >-
SPF implementations MUST limit the number of mechanisms and modifiers
that do DNS lookups to at most 10 per SPF check.
spec: 10.1/6
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e1.example.com
result: permerror
include-loop:
description: >-
SPF implementations MUST limit the number of mechanisms and modifiers
that do DNS lookups to at most 10 per SPF check.
spec: 10.1/6
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e2.example.com
result: permerror
mx-limit:
description: >-
there MUST be a limit of no more than 10 MX looked up and checked.
comment: >-
The required result for this test was the subject of much
controversy. Many felt that the RFC *should* have specified
permerror, but the consensus was that it failed to actually do so.
The preferred result reflects evaluating the 10 allowed MX records in the
order returned by the test data - or sorted via priority.
If testing with live DNS, the MX order may be random, and a pass
result would still be compliant. The SPF result is effectively
random.
spec: 10.1/7
helo: mail.example.com
host: 1.2.3.5
mailfrom: foo@e4.example.com
result: [neutral, pass, permerror]
ptr-limit:
description: >-
there MUST be a limit of no more than 10 PTR looked up and checked.
comment: >-
The result of this test cannot be permerror not only because the
RFC does not specify it, but because the sender has no control over
the PTR records of spammers.
The preferred result reflects evaluating the 10 allowed PTR records in
the order returned by the test data.
If testing with live DNS, the PTR order may be random, and a pass
result would still be compliant. The SPF result is effectively
randomized.
spec: 10.1/7
helo: mail.example.com
host: 1.2.3.5
mailfrom: foo@e5.example.com
result: [neutral, pass]
false-a-limit:
description: >-
unlike MX, PTR, there is no RR limit for A
comment: >-
There seems to be a tendency for developers to want to limit
A RRs in addition to MX and PTR. These are IPs, not usable for
3rd party DoS attacks, and hence need no low limit.
spec: 10.1/7
helo: mail.example.com
host: 1.2.3.12
mailfrom: foo@e10.example.com
result: pass
mech-at-limit:
description: >-
SPF implementations MUST limit the number of mechanisms and modifiers
that do DNS lookups to at most 10 per SPF check.
spec: 10.1/6
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e6.example.com
result: pass
mech-over-limit:
description: >-
SPF implementations MUST limit the number of mechanisms and modifiers
that do DNS lookups to at most 10 per SPF check.
comment: >-
We do not check whether an implementation counts mechanisms before
or after evaluation. The RFC is not clear on this.
spec: 10.1/6
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e7.example.com
result: permerror
include-at-limit:
description: >-
SPF implementations MUST limit the number of mechanisms and modifiers
that do DNS lookups to at most 10 per SPF check.
comment: >-
The part of the RFC that talks about MAY parse the entire record first
(4.6) is specific to syntax errors. Processing limits is a different,
non-syntax issue. Processing limits (10.1) specifically talks about
limits during a check.
spec: 10.1/6
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e8.example.com
result: pass
include-over-limit:
description: >-
SPF implementations MUST limit the number of mechanisms and modifiers
that do DNS lookups to at most 10 per SPF check.
spec: 10.1/6
helo: mail.example.com
host: 1.2.3.4
mailfrom: foo@e9.example.com
result: permerror
zonedata:
mail.example.com:
- A: 1.2.3.4
e1.example.com:
- SPF: v=spf1 ip4:1.1.1.1 redirect=e1.example.com
- A: 1.2.3.6
e2.example.com:
- SPF: v=spf1 include:e3.example.com
- A: 1.2.3.7
e3.example.com:
- SPF: v=spf1 include:e2.example.com
- A: 1.2.3.8
e4.example.com:
- SPF: v=spf1 mx
- MX: [0, mail.example.com]
- MX: [1, mail.example.com]
- MX: [2, mail.example.com]
- MX: [3, mail.example.com]
- MX: [4, mail.example.com]
- MX: [5, mail.example.com]
- MX: [6, mail.example.com]
- MX: [7, mail.example.com]
- MX: [8, mail.example.com]
- MX: [9, mail.example.com]
- MX: [10, e4.example.com]
- A: 1.2.3.5
e5.example.com:
- SPF: v=spf1 ptr
- A: 1.2.3.5
5.3.2.1.in-addr.arpa:
- PTR: e1.example.com.
- PTR: e2.example.com.
- PTR: e3.example.com.
- PTR: e4.example.com.
- PTR: example.com.
- PTR: e6.example.com.
- PTR: e7.example.com.
- PTR: e8.example.com.
- PTR: e9.example.com.
- PTR: e10.example.com.
- PTR: e5.example.com.
e6.example.com:
- SPF: v=spf1 a mx a mx a mx a mx a ptr ip4:1.2.3.4 -all
- A: 1.2.3.8
- MX: [10, e6.example.com]
e7.example.com:
- SPF: v=spf1 a mx a mx a mx a mx a ptr a ip4:1.2.3.4 -all
- A: 1.2.3.20
e8.example.com:
- SPF: v=spf1 a include:inc.example.com ip4:1.2.3.4 mx -all
- A: 1.2.3.4
inc.example.com:
- SPF: v=spf1 a a a a a a a a
- A: 1.2.3.10
e9.example.com:
- SPF: v=spf1 a include:inc.example.com a ip4:1.2.3.4 -all
- A: 1.2.3.21
e10.example.com:
- SPF: v=spf1 a -all
- A: 1.2.3.1
- A: 1.2.3.2
- A: 1.2.3.3
- A: 1.2.3.4
- A: 1.2.3.5
- A: 1.2.3.6
- A: 1.2.3.7
- A: 1.2.3.8
- A: 1.2.3.9
- A: 1.2.3.10
- A: 1.2.3.11
- A: 1.2.3.12