Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
928
Views
0
Helpful
5
Replies

Order of includes in SPF records

Go to solution
stefan-stefan
Level 1
Level 1

‎08-23-2022 02:30 AM

I have found that certain companies that send email to us get blocked in our ESA by SPF SoftFail.
And I dug into their SPF record with the help of some sites and they all say that SPF pass while the Cisco says SoftFail so I was a bit lost why.
But after a little more digging I found the "problem"; the order of the includes. They have 3 includes and the last include includes the subnet of the sending mailserver so that would pass. But, the include above that has a ~all and the cisco says softfail because of that.

So my questions is; does SPF define that a first hit is leading and that further hits should be ignored ? Or in other words, is Cisco correct here and all the websites wrong or visa versa ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Steflstefan
Level 1
Level 1

‎08-23-2022 04:52 AM

RfC 7208 is really clear. First hit matches.
SPF-records are public. Maybe you should post the corresponding SPF record an your sending IP address here?
It would be more easier to help you.
Greez

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Steflstefan
Level 1
Level 1

‎08-23-2022 04:52 AM

RfC 7208 is really clear. First hit matches.
SPF-records are public. Maybe you should post the corresponding SPF record an your sending IP address here?
It would be more easier to help you.
Greez

0 Helpful

Go to solution
stefan-stefan
Level 1
Level 1

‎08-23-2022 07:24 AM - edited ‎08-23-2022 08:01 AM

Thank you @Steflstefan that was the info I was looking for So cisco is correct and lots of spf check sites aren't (which was to be expected perhaps). But I also think a lot of mail configs are wrong then potentially. 

This is a madeup example (eventhough info is public I don't feel comfortable sharing someone's misconfigs potentially):

Sending mailhost is 1.2.3.4, domain is mydomain.net
spf record is v=spf1 a:notymyserver.net a:alsonomyserver.net include:spf.anotherparty.com include:spf.yesmail.com -all

notmyserver.net resolves to 2.2.2.2
alsonotmyserver.net resolves to 3.3.3.3
spf.anotherparty.com contains this : v=spf1 ipv4:4.4.4.4 ~all
spf.yesmail.com contains this : v=spf1 ipv4:1.2.3.4 -all 

Cisco reports this as softfail, which is correct if a match causes processing to stop.
But all websites that allow you check spf records against ip adrress (like mxtoolbox) will say pass.

And I have just been checking some more parties and they all have includes with ~all and -all's in the includes.

(probably I am missing something abvious)

0 Helpful

Go to solution
stefan-stefan
Level 1
Level 1

‎08-23-2022 07:35 AM

Hmm, looking further into the include mechanism of the RFC I perhaps am thinking that Cisco is wrong (sorry for going back and forth).
This I have from the RFC :

+---------------------------------+---------------------------------+
   | A recursive check_host() result | Causes the "include" mechanism  |
   | of:                             | to:                             |
   +---------------------------------+---------------------------------+
   | pass                            | match                           |
   |                                 |                                 |
   | fail                            | not match                       |
   |                                 |                                 |
   | softfail                        | not match                       |
   |                                 |                                 |
   | neutral                         | not match                       |
   |                                 |                                 |
   | temperror                       | return temperror                |
   |                                 |                                 |
   | permerror                       | return permerror                |
   |                                 |                                 |
   | none                            | return permerror                |
   +---------------------------------+---------------------------------+

So if an include contains -all or ~all always results in "not match" being given back to the the main spf process (that perhaps isn't the correct wording but I am sure you all understand

0 Helpful

Go to solution
Steflstefan
Level 1
Level 1
In response to stefan-stefan

‎08-23-2022 07:55 AM

Ok.

But this from your explanation looks quite wrong:
spf.anotherparty.com contains this : v=spf1 a:4.4.4.4 ~all
spf.yesmail.com contains this : v=spf1 a:1.2.3.4 -all 

If you use an ip address, you should use ip4: not a:. 
Try vamsoft SPF checker https://vamsoft.com/support/tools/spf-policy-tester

0 Helpful

Go to solution
stefan-stefan
Level 1
Level 1

‎08-23-2022 08:00 AM

Sorry my bad, but this is not about the syntax, its about the theorie of how the includes are interpreted (that was just a quick example).

0 Helpful
Customers Also Viewed These Support Documents