search

stalwartlabs / mail-auth

DKIM, ARC, SPF and DMARC library for Rust
https://docs.rs/mail-auth/
Apache License 2.0
82 stars 13 forks source link

DNS lookup limit being hit too early during SPF verification #35

Closed titussanchez closed 2 months ago

titussanchez commented 2 months ago

Hi,

I ran across this domain recently: linbit.com.

Running an SPF verification on this domain with a valid sending IP, 209.85.217.50, results in a permerror. However, other SPF testers like MXtoolbox and the EasyDMARC SPF checker both result in an SPF pass for the domain and the corresponding sending IP.

Looking at the EasyDMARC analysis of lookups I think the reason for the lookup limit difference is that the mail-auth library increments the lookup count for each entry in the MX record whereas the EasyDMARC test doesn't add any additional lookups when it resolves each entry in the MX record.

https://github.com/stalwartlabs/mail-auth/blob/2ae73db5cd3607c5e80288e812194caf69b2bfac/src/spf/verify.rs#L186-L191

I also looked at how a Python SPF library handles counting the lookups [1] and it also looks like they do not count the lookup for each entry in the MX record either. Instead, there is a separate limit for the MX record specifically that will result in a permerror if there are more than 10 entries in the MX record. This limit is from RFC 7208 section 4.6.4.

@mdecimus Are you open to a pull request where I remove the incrementing of lookups for each entry in the MX record and instead return a permerror if there are more than 10 entries in the MX record?

[1] https://github.com/sdgathman/pyspf/blob/0b985f9692d7ae305774913e67ed639240e237e7/spf.py#L956-L958

titussanchez commented 2 months ago

I also just noticed that there might be an off-by-one error in the testing for the maximum number of DNS lookups allowed. Having exactly 10 lookups should not result in a permerror.

https://github.com/stalwartlabs/mail-auth/blob/2ae73db5cd3607c5e80288e812194caf69b2bfac/resources/spf/basic.yml#L88

https://github.com/stalwartlabs/mail-auth/blob/2ae73db5cd3607c5e80288e812194caf69b2bfac/resources/spf/basic.yml#L112-L115

mdecimus commented 2 months ago

Looking at the EasyDMARC analysis of lookups I think the reason for the lookup limit difference is that the mail-auth library increments the lookup count for each entry in the MX record whereas the EasyDMARC test doesn't add any additional lookups when it resolves each entry in the MX record.

Thanks for reporting this, I needed to make a few changes so I fixed it directly. Please check it out and let me know.

I also just noticed that there might be an off-by-one error in the testing for the maximum number of DNS lookups allowed.

The lookup count starts at 1 to include the initial DNS lookup to obtain the SPF record. I need to re-read the RFC to check if this is correct or not.

titussanchez commented 2 months ago

Looks good to me. Thanks!

My reading of the RFC was that the initial lookup didn't count toward the limit of 10.

I created some test domains with SPF records to see how others were handling this:

ninespf.titussanchez.com
tenspf.titussanchez.com
elevenspf.titussanchez.com

MX Toolbox was fine with the 10 lookups in the tenspf.titussanchez.com EasyDMARC was also fine with 10 lookups in tenspf.titussanchez.com The mail-auth library currently throws a permerror for tenspf.titussanchez.com

titussanchez commented 2 weeks ago

@mdecimus, wondering if you saw my comment about the lookup limit here

mdecimus commented 2 weeks ago

Saw it but then got buried in other issues. Just fixed it and published version 0.5.0.