search

postalsys / mailauth

Command line utility and a Node.js library for email authentication
Other
127 stars 10 forks source link

SPF policies with an exists method fail (considered as having no SPF policy at all) #49

Closed valeriansaliou closed 11 months ago

valeriansaliou commented 11 months ago

Hey @andris9, thank you so much for your work on mailauth. I'd frandkly have built this library myself if you did not do it first, thanks again for that.

I'm using mailauth on a busy inbound mail server, successfully, however I'm seeing instances where SPF validation fails, with the following eg. output:

digitalocean.com does not designate permitted sender hosts

Checking digitalocean.com manually, it appears that their SPF policy is valid. Note that I've raised the DNS resolution limit from 10 to 20 just to be safe, as they are well above the 10 resolutions limit.

Their policy is as such:

"v=spf1 include:spf.digitalocean.com include:_spf.google.com include:_spf.salesforce.com include:mg-spf.greenhouse.io include:helpscoutemail.com -all"

When digging _spf.salesforce.com, it appears that they are using the SPF exists method:

"v=spf1 exists:%{i}._spf.mta.salesforce.com -all"

I got the very same error for the siemens.com domain name, which has a valid (though huge) SPF policy, and which is also using the exists method:

"v=spf1 exists:%{i}.spf.siemens.com include:spf.protection.outlook.com include:amazonses.com include:all.spf.avature.net include:mail.zendesk.com -all"

It appears that SPF results containing the following pattern: exists:%{i} lead to mailauth thinking that there is no SPF policy at all on the domain.

andris9 commented 11 months ago

Can you check the IPs manually using the cli?

$ mailauth spf -v -f digitalocean.com -i 54.173.229.38
{
  "domain": "digitalocean.com",
  "client-ip": "54.173.229.38",
  "envelope-from": "postmaster@digitalocean.com",
  "rr": "v=spf1 include:spf.digitalocean.com include:_spf.google.com include:_spf.salesforce.com include:mg-spf.greenhouse.io include:helpscoutemail.com -all",
  "status": {
    "result": "pass",

It is more likely that it is the DNS that is failing - to resolve these large SPF records, mailauth needs to run a large number of DNS queries, and if you run a busy server and the DNS system is not tuned correctly, or you are using an external provider, then these queries might start to fail, or are throttled.

valeriansaliou commented 11 months ago

Helllo Andris, thank you for the quick answer. I've narrowed it down to a production DNS system resolver issue, while the issue was not here / not replicable on my development environment. Definitely not related to mailauth, I'm closing this.

To be more specific, this seems to be an issue with DNS TCP request, where the production resolver only attempts using UDP, and gets a partial fragmented response, for which it'll consider it's done and therefore resolve with some but not all TXT records, which do not contain the SPF record.