sdgathman
commented
2 years ago "Validating" is kind of a hack. You pass an ip that doesn't match anything, making everything get parsed. I'm not sure what Kitterman does, but you can pass the undocumented (should document) special value 'list' or 'list6' for the ip. This will not match any mechanism, and in addition tries to build a set of ips that would match and get Pass. This is very incomplete, and impossible in general. But it does make every mechanism get parsed, which "validates" the policy.
It SHOULD be possible to know when the list of matching ips is complete. The libspf C library does this, and can "compile" policies for ultra fast subsequent evaluations. It caches the ipset for any policy that can be completely represented by a set. E.g. "v=spf1 a:1.2.3.0/24 -all" Also, there should be an ipset for each result, not just Pass.
Hi,
I'd like to use this tool to validate an spf record. It's not really clear to me the best and easiest way to do this. It seems like a useful feature to support easily and perhaps document in the README.md.
I did look at the Kitterman code which seems to validate spf records, but didn't quite figure out their invocation yet.