Mailing List Archive

Re: [spf-devel] Re: Upcoming new test-suite release
On Thu, 27 Mar 2008, Frank Ellermann wrote:

> <>
> <>
> <>
> <>
> Inconclusive, two for "no match", two for "PermError", the
> latter based on 2.5.7.

I was for TempError myself. But no match is ok. The test suite
allowed no match or TempError until the latest change. It never
allowed PermError. I guess we all though it was just "so wrong",
at least for the macro expansion case. There should probably be
an errata to modify 2.5.7 if we go with no match.

For reference, 2.5.7/3 says:
"Be aware that if the domain owner uses macros (Section 8), it is possible that
this result is due to the checked identities having an unexpected format."

This does not say specifically that '' should be a PermError,
just that some unspecified condition might result in one.

Section 5 says:
"For these DNS queries, except where noted, if the DNS server returns an error
(RCODE other than 0 or 3) or the query times out, the mechanism throws the
exception "TempError". If the server returns "domain does not exist" (RCODE 3),
then evaluation of the mechanism continues as if the server returned no error
(RCODE 0) and zero answer records."

Since '' cannot actually be sent to a DNS server, it cannot
result in an RCODE other than 0 or 3, and cannot result in a timeout,
and hence cannot be a TempError. Besides, in the non-macro case, the error
is decidedly permanent, no temporary. That leaves 'no match' or PermError.

A PermError is wrong because in the macro case, the error is *not*
permanent, but may depend on the sender.

So 'no match' is the only consistent result. But the spec is far from
clear on the point, despite what Julian says.

Stuart D. Gathman <>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

Sender Policy Framework:
Modify Your Subscription:
RSS Feed:
Powered by Listbox: