Mailing List Archive

Re: Which SPF implementation to choose?
Hash: SHA1

Stuart D. Gathman wrote on spf-discuss:
> I added this test:
> tests:
> redirect-is-modifier:
> description: |-
> Invalid mechanism. Redirect is a modifier.
> spec: 4.6.1/4
> helo:
> host:
> mailfrom:
> result: permerror
> zonedata:
> - A:
> - SPF: v=spf1 ip4:
> It is not clear which spec paragraph is being tested. Could also
> be 6/2, or maybe the list of defined mechanisms.

I think the primary spec reference should be 6.1/2 (the grammar definition
in 6.1), but I think 4.6.1/2 (not /4) could be listed as a secondary

(And, again, watch the indentation of the DNS records below the domains!
That of the "SPF" record is correct YAML, that of the "A" record isn't.
See my posting on spf-devel.)

> I think the spec should be able to list multiple paragraphs. Julian -
> what is the recommended YAML syntax? Should it be an explicit YAML list?
> Or just comma or space separate the string?

Yes, it's allowed to list multiple spec references. Explicit list syntax
is required, e.g.:

spec: [6.1/2, 4.6.1/2]

Omitting the brackets would make it a single, unstructured string.

> > it is an invalid netmask
> The RFC defines the CIDR as:
> ip4-cidr-length = "/" 1*DIGIT
> which certainly includes /0. It also includes /33, which will never
> match - or perhaps matches randomly :-). In any case, 0 is clearly
> allowed, as in ip4: - which is a synonym for all.

No, "ip4:" is NOT a synonym for "all". It doesn't match IPv6
addresses (other than IPv4-mapped ones, i.e. ::ffff:n.n.n.n, which are
treated as IPv4 addresses, of course).

> Pyspf currently insists that CIDR be /1 - /32, and gives permerror
> for /0, /33, and /032. Unless someone wants to argue that pyspf
> behaviour is implied in the penumbras of the RFC (e.g. because
> ip4-network is spelled out that way), I maintain that pyspf is wrong.

Agreed. It may not be nice that leading zeroes are permitted, but they
undeniably are.

Version: GnuPG v1.4.5 (GNU/Linux)


To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to