Bug #67073 for Mail-SPF: spf2 record includes spf1 record

# Tue Mar 29 20:13:30 2011 jdfalk [...] returnpath.net - Ticket created

MIME-Version:	1.0
X-Spam-Flag:	NO
Acceptlanguage:	en-US
content-type:	text/plain; charset="utf-8"
X-Virus-Scanned:	Debian amavisd-new at bestpractical.com
X-Ems-Stamp:	SAigVPiz5BQX/1WwrGWKyQ==
X-Spam-Score:	-5.911
Received:	from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id 9BDB62417E8 for <cpan-bug+mail-spf [...] hipster.bestpractical.com>; Tue, 29 Mar 2011 20:13:29 -0400 (EDT)
Received:	from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 41LHKP0nYYF8 for <cpan-bug+mail-spf [...] hipster.bestpractical.com>; Tue, 29 Mar 2011 20:13:27 -0400 (EDT)
Received:	from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id 7215C241754 for <bug-mail-spf [...] rt.cpan.org>; Tue, 29 Mar 2011 20:13:27 -0400 (EDT)
Received:	(qmail 29285 invoked by uid 103); 30 Mar 2011 00:13:26 -0000
Received:	from x16.dev (10.0.100.26) by x1.dev with QMQP; 30 Mar 2011 00:13:26 -0000
Received:	from mail.corp.returnpath.net (HELO mail.corp.returnpath.net) (38.109.196.9) by 16.mx.develooper.com (qpsmtpd/0.80/v0.80-19-gf52d165) with ESMTP; Tue, 29 Mar 2011 17:13:22 -0700
Received:	from mail.corp.returnpath.net (localhost.localdomain [127.0.0.1]) by mail.corp.returnpath.net (Postfix) with ESMTP id 897E52501E9; Tue, 29 Mar 2011 18:13:19 -0600 (MDT)
Received:	from rpcoex01.rpcorp.local (unknown [10.0.1.142]) by mail.corp.returnpath.net (Postfix) with ESMTP id 809F2250199; Wed, 30 Mar 2011 00:13:19 +0000 (UTC)
Received:	from rpcoex01.rpcorp.local ([10.0.1.142]) by rpcoex01.rpcorp.local ([10.0.1.142]) with mapi; Tue, 29 Mar 2011 18:12:29 -0600
Authentication-Results:	hipster.bestpractical.com (amavisd-new); dkim=pass header.i= [...] returnpath.net
Authentication-Results:	hipster.bestpractical.com (amavisd-new); domainkeys=pass header.from=jdfalk [...] returnpath.net
Delivered-To:	cpan-bug+mail-spf [...] hipster.bestpractical.com
Subject:	spf2 record includes spf1 record
Thread-Index:	AcvubyghXnZnTjJUQ0CB2rKGp+2DNQ==
X-Spam-Check-BY:	16.mx.develooper.com
Dkim-Signature:	v=1; a=rsa-sha1; c=relaxed; d=returnpath.net; h=from:to :date:subject:message-id:content-type:content-transfer-encoding :mime-version; s=selector1; bh=bHRF9Wmy6svxM1QaXekn9EdBZMc=; b=M hQ0xTAOQZ6ayxJcC/FN+uoteivelaBbKCh7m5Dr5Hr4mBDEGMD+oBUbCtxJInhbW Jgcjzn1tlNktbffSD1QFC2rVeX5EnSM/FL/Aeiv9qIF7ZIY/RFeIYNhVO+gQk7r1 kkIrAMx+BidR0cgacv+cnbDDTQvnhzKqn4tq4wjk10=
Date:	Tue, 29 Mar 2011 18:13:16 -0600
X-Spam-Level:
To:	"bug-mail-spf [...] rt.cpan.org" <bug-mail-spf [...] rt.cpan.org>
Content-Transfer-Encoding:	quoted-printable
From jdfalk [...] returnpath.net Tue Mar 29 20:	13:29 2011
X-Ems-Proccessed:	Yma8eInq5qTp77FzNR/WDA==
X-Spam-Status:	No, score=-5.911 tagged_above=-99.9 required=10 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_SOFTFAIL=0.665, URIBL_GREY=0.424] autolearn=ham
Content-Language:	en-US
Message-ID:	<C9B7C3AC.1234B%jdfalk [...] returnpath.net>
X-MS-Tnef-Correlator:
User-Agent:	Microsoft-MacOutlook/14.2.0.101115
Domainkey-Signature:	a=rsa-sha1; c=nofws; d=returnpath.net; h=from:to :date:subject:message-id:content-type:content-transfer-encoding :mime-version; q=dns; s=selector1; b=OXnisgTZIgwW0ZCWJqOnD0SpDE5 qRT2RJpwOJudlUC2+heRmA8rnYCWKU0mO5bXF2Ae1RRIJP28MXzCfkWPTjh4qVNI FhRqubQEh7jmCXp4b+GiMJWdlzM8iq4yCgJ8fRgtmj41kWFVNVBezEm/UM7Puy2q zrmUduIdlerKBEOY=
Return-Path:	<jdfalk [...] returnpath.net>
X-Original-To:	cpan-bug+mail-spf [...] hipster.bestpractical.com
X-RT-Mail-Extension:	mail-spf
Thread-Topic:	spf2 record includes spf1 record
X-MS-Has-Attach:
Accept-Language:	en-US
From:	J D Falk <jdfalk [...] returnpath.net>
X-RT-Original-Encoding:	us-ascii
Content-Length:	1526

Download (untitled) / with headers
text/plain 1.4k

We've run into an interesting issue -- not sure if it's a bug, or a difference in interpretation. The spf2.0/pra record for vodafone.it has two include statements: vodafone.it text = "v=spf1 include:spf1.vodafone.it include:aspmx.googlemail.com include:t.contactlab.it ~all" vodafone.it text = "spf2.0/pra include:spf2.vodafone.it include:aspmx.googlemail.com include:senderid-a.contactlab.it -all" Google's included record redirects to a record which is only spf1: aspmx.googlemail.com text = "v=spf1 redirect=_spf.google.com" _spf.google.com text = "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all" One possible interpretation is that when processing spf2 records & includes, spf1 records should be ignored -- we believe that's what Mail::SPF is doing when it says "Included domain \'aspmx.googlemail.com\' has no applicable sender policy." Another is to interpret the included spf1 record the way SenderID interprets standalone spf1 records, which we're pretty sure is what Microsoft is doing when they mark the same message as having passed. But since only Microsoft cares about SenderID these days, our clients want our tools to act the way theirs do -- and we use Mail::SPF. Is this behavior configurable? Or is something else going on? -- J.D. Falk Editor, The Received: Blog Return Path Inc. http://www.returnpath.net/blog/received/

# Wed Mar 30 01:26:24 2011 julian [...] mehnle.net - Correspondence added

From julian [...] mehnle.net Wed Mar 30 01:	26:23 2011
MIME-Version:	1.0
X-Spam-Status:	No, score=-6.899 tagged_above=-99.9 required=10 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_FAIL=0.001] autolearn=ham
In-Reply-To:	<rt-3.8.HEAD-2463-1301444010-1354.67073-4-0 [...] rt.cpan.org>
Content-Disposition:	inline
X-Spam-Flag:	NO
References:	<RT-Ticket-67073 [...] rt.cpan.org> <C9B7C3AC.1234B%jdfalk [...] returnpath.net> <rt-3.8.HEAD-2463-1301444010-1354.67073-4-0 [...] rt.cpan.org>
X-Virus-Scanned:	Debian amavisd-new at bestpractical.com
Content-Type:	text/plain; charset="utf-8"
Message-ID:	<201103300526.11493.julian [...] mehnle.net>
X-RT-Original-Encoding:	utf-8
X-Spam-Score:	-6.899
Received:	from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id 860EF241801 for <cpan-bug+Mail-SPF [...] hipster.bestpractical.com>; Wed, 30 Mar 2011 01:26:23 -0400 (EDT)
Received:	from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sbgjb+ZT4QxS for <cpan-bug+Mail-SPF [...] hipster.bestpractical.com>; Wed, 30 Mar 2011 01:26:22 -0400 (EDT)
Received:	from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id A6CC32417FE for <bug-Mail-SPF [...] rt.cpan.org>; Wed, 30 Mar 2011 01:26:21 -0400 (EDT)
Received:	(qmail 15955 invoked by uid 103); 30 Mar 2011 05:26:20 -0000
Received:	from x16.dev (10.0.100.26) by x1.dev with QMQP; 30 Mar 2011 05:26:20 -0000
Received:	from io.link-m.de (HELO io.link-m.de) (89.250.128.34) by 16.mx.develooper.com (qpsmtpd/0.80/v0.80-19-gf52d165) with ESMTP; Tue, 29 Mar 2011 22:26:18 -0700
Received:	from [10.0.2.15] ([::ffff:76.14.68.194]) (AUTH: CRAM-MD5 julian [...] mehnle.net, TLS: TLSv1/SSLv3,256bits,AES256-SHA) by io.link-m.de with esmtp; Wed, 30 Mar 2011 05:26:14 +0000 id 0000000020567E0A.000000004D92BEF6.000070ED
Delivered-To:	cpan-bug+Mail-SPF [...] hipster.bestpractical.com
User-Agent:	KMail/1.9.9
Subject:	Re: [rt.cpan.org #67073] spf2 record includes spf1 record
Return-Path:	<julian [...] mehnle.net>
X-Spam-Check-BY:	16.mx.develooper.com
X-Original-To:	cpan-bug+Mail-SPF [...] hipster.bestpractical.com
X-RT-Mail-Extension:	mail-spf
Date:	Wed, 30 Mar 2011 05:26:11 +0000
X-Spam-Level:
To:	bug-Mail-SPF [...] rt.cpan.org
Content-Transfer-Encoding:	7bit
From:	Julian Mehnle <julian [...] mehnle.net>
RT-Message-ID:	<rt-3.8.HEAD-2463-1301462784-1428.67073-0-0 [...] rt.cpan.org>
Content-Length:	1306

Download (untitled) / with headers
text/plain 1.2k

Hi J D, you wrote: Show quoted text

> [...] > One possible interpretation is that when processing spf2 records & > includes, spf1 records should be ignored -- we believe that's what > Mail::SPF is doing when it says "Included domain 'aspmx.googlemail.com' > has no applicable sender policy." > > Another is to interpret the included spf1 record the way SenderID > interprets standalone spf1 records, which we're pretty sure is what > Microsoft is doing when they mark the same message as having passed. > > But since only Microsoft cares about SenderID these days, our clients > want our tools to act the way theirs do -- and we use Mail::SPF. Is > this behavior configurable? Or is something else going on?

The first interpretation is correct. It is a conscious design choice. RFCs 4408 (SPF) and 4406 (Sender ID) conflict in this regard, and since Mail::SPF is meant to be a reference implementation of RFC 4408, this is the school of thought it follows. The support for "spf2.0" records was added merely as an exercise and as a courtesy to the user. The behavior is not configurable, although it could possibly be made that way. It's certainly not a priority for me at this time. I would consider taking a patch, though, that makes it configurable in a way consistent with Mail::SPF's design. -Julian

# Wed Mar 30 01:26:25 2011 The RT System itself - Status changed from 'new' to 'open'

# Mon Apr 11 20:49:10 2011 jdfalk [...] returnpath.net - Correspondence added

MIME-Version:	1.0
X-Spam-Flag:	NO
Acceptlanguage:	en-US
X-Virus-Scanned:	Debian amavisd-new at bestpractical.com
Content-Type:	text/plain; charset="utf-8"
X-RT-Original-Encoding:	utf-8
X-Spam-Score:	-6.123
X-Ems-Stamp:	ezOkSk0PLFwbsYGSKvU3WQ==
Authentication-Results:	hipster.bestpractical.com (amavisd-new); dkim=pass header.i= [...] returnpath.net
Authentication-Results:	hipster.bestpractical.com (amavisd-new); domainkeys=pass header.from=jdfalk [...] returnpath.net
Received:	from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id C337A241895 for <cpan-bug+Mail-SPF [...] hipster.bestpractical.com>; Mon, 11 Apr 2011 20:49:09 -0400 (EDT)
Received:	from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jhpsNYnp3IMv for <cpan-bug+Mail-SPF [...] hipster.bestpractical.com>; Mon, 11 Apr 2011 20:49:08 -0400 (EDT)
Received:	from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id 0E1C62417FF for <bug-Mail-SPF [...] rt.cpan.org>; Mon, 11 Apr 2011 20:49:07 -0400 (EDT)
Received:	(qmail 12360 invoked by uid 103); 12 Apr 2011 00:49:07 -0000
Received:	from x16.dev (10.0.100.26) by x1.dev with QMQP; 12 Apr 2011 00:49:07 -0000
Received:	from mail.corp.returnpath.net (HELO mail.corp.returnpath.net) (38.109.196.9) by 16.mx.develooper.com (qpsmtpd/0.80/v0.80-19-gf52d165) with ESMTP; Mon, 11 Apr 2011 17:49:05 -0700
Received:	from mail.corp.returnpath.net (localhost.localdomain [127.0.0.1]) by mail.corp.returnpath.net (Postfix) with ESMTP id AE0642501AD; Mon, 11 Apr 2011 18:49:01 -0600 (MDT)
Received:	from rpcoex01.rpcorp.local (unknown [10.0.1.142]) by mail.corp.returnpath.net (Postfix) with ESMTP id A6235250199; Tue, 12 Apr 2011 00:49:01 +0000 (UTC)
Received:	from rpcoex01.rpcorp.local ([10.0.1.142]) by rpcoex01.rpcorp.local ([10.0.1.142]) with mapi; Mon, 11 Apr 2011 18:47:53 -0600
Delivered-To:	cpan-bug+Mail-SPF [...] hipster.bestpractical.com
Subject:	Re: [rt.cpan.org #67073] spf2 record includes spf1 record
Dkim-Signature:	v=1; a=rsa-sha1; c=relaxed; d=returnpath.net; h=from:to :date:subject:message-id:in-reply-to:content-type :content-transfer-encoding:mime-version; s=selector1; bh=yGdczAz SscoN5cliaAkbQBxIhb0=; b=k8VYSjf4fZWfha9HdkxcYfD7SrtcbtT1W8xOKlC aHPq/PVlUtR3nRPvpcfNhFgjKDbzgjNcwdiNozeTHXUIxBT99GPfgm3QL2oMdoZj QsgzKH53kDjaoccxuHJ8fE7gFoaW3s1Wn84xYnxRdAmfnRHTLgiQcxFK4eKYJG1/ p5pc=
X-Spam-Check-BY:	16.mx.develooper.com
Thread-Index:	Acv4q0FJzGHGlovPQqy22zLGuAaFng==
Date:	Mon, 11 Apr 2011 18:48:58 -0600
X-Spam-Level:
To:	"bug-Mail-SPF [...] rt.cpan.org" <bug-Mail-SPF [...] rt.cpan.org>
Content-Transfer-Encoding:	quoted-printable
From jdfalk [...] returnpath.net Mon Apr 11 20:	49:09 2011
X-Ems-Proccessed:	Yma8eInq5qTp77FzNR/WDA==
In-Reply-To:	<rt-3.8.HEAD-2463-1301462784-410.67073-6-0 [...] rt.cpan.org>
X-Spam-Status:	No, score=-6.123 tagged_above=-99.9 required=10 tests=[AWL=0.212, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_SOFTFAIL=0.665] autolearn=ham
Content-Language:	en-US
Message-ID:	<C9C8EF58.13200%jdfalk [...] returnpath.net>
X-MS-Tnef-Correlator:
User-Agent:	Microsoft-MacOutlook/14.2.0.101115
Return-Path:	<jdfalk [...] returnpath.net>
Domainkey-Signature:	a=rsa-sha1; c=nofws; d=returnpath.net; h=from:to :date:subject:message-id:in-reply-to:content-type :content-transfer-encoding:mime-version; q=dns; s=selector1; b=P Z3nGOQxpvSSPFw5ScPWjenlZf+QCPSMfautYn23495L8CGRcgNwsgJib9OjbwNrV C+SWZ25tC1PHjNgRanbnKS+jy+GCO4s88FAFJAfegkoXuGRbWzO4R59SOF1wIFKv K1tLlqs9/RWHRhplWt7lqHQl5OJYioOyMsxVImEHAs=
X-RT-Mail-Extension:	mail-spf
X-Original-To:	cpan-bug+Mail-SPF [...] hipster.bestpractical.com
X-MS-Has-Attach:
Thread-Topic:	[rt.cpan.org #67073] spf2 record includes spf1 record
Accept-Language:	en-US
From:	J D Falk <jdfalk [...] returnpath.net>
RT-Message-ID:	<rt-3.8.HEAD-2771-1302569350-395.67073-0-0 [...] rt.cpan.org>
Content-Length:	228

Download (untitled) / with headers
text/plain 228b

Thanks for the reply. I think this makes sense. Not sure if/when we'll be able to submit a patch, but we'll keep it in mind. -- J.D. Falk Director, Internet Standards & Governance Email Intelligence Group Return Path Inc.

# Fri Aug 12 12:48:49 2011 JMEHNLE [...] cpan.org - Correspondence added

MIME-Version:	1.0
In-Reply-To:	<rt-3.8.HEAD-2771-1302569350-395.67073-0-0 [...] rt.cpan.org>
X-Mailer:	MIME-tools 5.427 (Entity 5.427)
Content-Disposition:	inline
References:	<rt-3.8.HEAD-2463-1301462784-410.67073-6-0 [...] rt.cpan.org> <C9C8EF58.13200%jdfalk [...] returnpath.net> <rt-3.8.HEAD-2771-1302569350-395.67073-0-0 [...] rt.cpan.org>
Content-Type:	text/plain; charset="UTF-8"
Message-ID:	<rt-3.8.HEAD-22516-1313167728-1863.67073-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding:	binary
X-RT-Original-Encoding:	utf-8
Content-Length:	253

Download (untitled) / with headers
text/plain 253b

FYI, I haven't had the time to deal with this yet — from my personal PoV the issue simply doesn't have a very high priority since it merely concerns Sender ID support. I'm going to mark the issue as stalled but will gladly accept a patch at any time.

# Fri Aug 12 12:48:49 2011 JMEHNLE [...] cpan.org - Status changed from 'open' to 'stalled'

# Fri Aug 12 12:53:26 2011 JMEHNLE [...] cpan.org - Severity Wishlist added

# Mon Jan 30 01:28:32 2012 JMEHNLE [...] cpan.org - Correspondence added

MIME-Version:	1.0
In-Reply-To:	<C9B7C3AC.1234B%jdfalk [...] returnpath.net>
X-Mailer:	MIME-tools 5.427 (Entity 5.427)
Content-Disposition:	inline
References:	<C9B7C3AC.1234B%jdfalk [...] returnpath.net>
Content-Type:	text/plain; charset="UTF-8"
Message-ID:	<rt-3.8.HEAD-17363-1327904912-1532.67073-0-0 [...] rt.cpan.org>
Content-Transfer-Encoding:	binary
X-RT-Original-Encoding:	utf-8
Content-Length:	256

Download (untitled) / with headers
text/plain 256b

Unfortunately the author of this ticket, J. D. Falk, passed away in late 2011: http://jdfalkmemorial.org I will still accept a patch from anyone interested in making this behavior configurable in Mail::SPF, but I will not make it an initiative of my own.

# Mon Jan 30 01:28:34 2012 The RT System itself - Status changed from 'stalled' to 'open'

# Mon Jan 30 01:29:38 2012 JMEHNLE [...] cpan.org - Status changed from 'open' to 'stalled'