qualifier: directive indicating the result of any matching records. - is the qualifier for fail, meaning -all basically translates to "everything else fails"
Neutral: one of the possible results, indicates that no determination, positive or negative could be made. Literally MUST be treated as if there were no SPF record.
Redirect: A modifier that effectively says "look up this other record, do whatever it says." Useful for admins that want to reduce code duplication by having the domains they manage all point to one common SPF record.
Per RFC 7208:
If ADMDs choose to publish SPF records and want to support receivers making negative authorization determinations, it is necessary for them to publish records that end in "-all", or redirect to other records that do; otherwise, no definitive determination of authorization can be made.
In other words, in order for a mail server to conclude that a given sender is not authorized, the SPF policy must end in -all. Without it, any sender that didn't match the policy will evaluate as "neutral," which means the SPF policy will not provide any spoofing protections against any IPs not explicitly listed.
MS.EXO.2.2v1 states that "An SPF policy SHALL be published for each domain, designating only these addresses as approved senders." Now, given all the above context, we know that in order to meet the intent of the baseline and ensure that "only" the approved senders pass evaluation, the policy needs to either:
Include -all
Include redirect=
We could take this one step further and recursively evaluate the redirects to assert that they redirect to a policy that end in -all, but I'd argue that that is out scope for ScubaGear. Simply adding the above checks would go a long way to ensuring that the SPF records are functioning as intended.
Implementation notes
Ensure the SPF policies include one of the following substrings:
💡 Summary
Add a Rego check to MS.EXO.2.2v1 to assert that the SPF policy includes
-all
or a redirect.Motivation and context
First, a dive into some of the subtleties of the SPF specification. Relevant SPF definitions:
-
is the qualifier for fail, meaning-all
basically translates to "everything else fails"Per RFC 7208:
In other words, in order for a mail server to conclude that a given sender is not authorized, the SPF policy must end in
-all
. Without it, any sender that didn't match the policy will evaluate as "neutral," which means the SPF policy will not provide any spoofing protections against any IPs not explicitly listed.MS.EXO.2.2v1 states that "An SPF policy SHALL be published for each domain, designating only these addresses as approved senders." Now, given all the above context, we know that in order to meet the intent of the baseline and ensure that "only" the approved senders pass evaluation, the policy needs to either:
-all
redirect=
We could take this one step further and recursively evaluate the redirects to assert that they redirect to a policy that end in
-all
, but I'd argue that that is out scope for ScubaGear. Simply adding the above checks would go a long way to ensuring that the SPF records are functioning as intended.Implementation notes
Ensure the SPF policies include one of the following substrings:
Acceptance criteria