search

cisagov / trustymail

Scan domains and return data based on trustworthy email best practices
Creative Commons Zero v1.0 Universal
185 stars 31 forks source link

Records with include tags not handled correctly #109

Closed jsf9k closed 5 years ago

jsf9k commented 5 years ago

One of our stakeholders pointed out that:

In report of SPF record validity, why does the include not override the fail status? In the real world it does, in reporting, it does not – example, if an SPF record ends in ~all, but also has an include that ends in -all, in the real world, the -all overrides, but in reporting, the ~all is used for evaluation, which makes it invalid.

This stakeholder is correct. This is a bug in trustymail. See section 5.2 of RFC7208. Here is the offending piece of code.

jsf9k commented 5 years ago

A quick check of last weekend's scans (grep -HniF "Result unexpectedly" trustymail.csv | wc -l) only finds 28 ambiguities when scanning 92k hosts.