search

Domain-Connect / dc-template-linter

Domain Connect template linter
https://www.domainconnect.org/
Apache License 2.0
2 stars 1 forks source link

Check SPFM in more detail #9

Closed pawel-kow closed 1 week ago

pawel-kow commented 6 months ago

Checks that would be useful for SPFM (warning level):

kerolasa commented 6 months ago

Reported fields already cause errors, Notice that redirect handling is not exactly what is asked, but close.

dc-template-linter  $ ./dc-template-linter -inplace exampleservice.domainconnect.org.template1.json 
2024-05-06T10:32:25+01:00 ERR spfRules must not include v=spf1 groupid= record=1 template=exampleservice.domainconnect.org.template1.json type=SPFM
2024-05-06T10:32:25+01:00 ERR spfRules must not include trailing all rule groupid= record=1 template=exampleservice.domainconnect.org.template1.json type=SPFM
2024-05-06T10:32:25+01:00 ERR spfRules contains unknown macro field field=v groupid= record=1 template=exampleservice.domainconnect.org.template1.json type=SPFM
2024-05-06T10:32:25+01:00 ERR spfRules has multiple redirect fields groupid= record=1 template=exampleservice.domainconnect.org.template1.json type=SPFM
2024-05-06T10:32:25+01:00 ERR spfRules contains unknown modifier groupid= modifier=all record=1 template=exampleservice.domainconnect.org.template1.json type=SPFM

Above errors are from this test file, that I created for purpose of demonstrating SPFM field handling: exampleservice.domainconnect.org.template1.json

Right now redirect is allowed, but only once. Also position of a redirect modifier is not required to be last. RFC tells it should be last but does not require it to be last, so I suppose people can and will put it where ever. IMHO this is strict enough.

https://datatracker.ietf.org/doc/html/rfc7208#section-6.1 https://www.mailhardener.com/blog/spf-redirect-explained

BTW, I can see only one redirect= in use and that is in a template that does SPF creative way.

Templates $ git grep redirect= 
goentri.com.sendmarc.json:      "data": "v=spf1 redirect=%thirdPartyDomain%",
Templates $ dc-template-linter goentri.com.sendmarc.json
2024-05-06T10:42:34+01:00 INF sharedProviderName is in use, but shared backward compatibility is not set template=goentri.com.sendmarc.json
2024-05-06T10:42:34+01:00 INF It is recommended to use SPFM instead of bare SPF record to allow for merging several services. See specification section 6.10 for details. groupid=a2 record=1 template=goentri.com.sendmarc.json type=TXT
pawel-kow commented 6 months ago

yes, redirect in bare SPF would be OK. Cool thx.