cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1109
Views
0
Helpful
5
Replies

Order of includes in SPF records

stefan-stefan
Level 1
Level 1

I have found that certain companies that send email to us get blocked in our ESA by SPF SoftFail.
And I dug into their SPF record with the help of some sites and they all say that SPF pass while the Cisco says SoftFail so I was a bit lost why.
But after a little more digging I found the "problem"; the order of the includes. They have 3 includes and the last include includes the subnet of the sending mailserver so that would pass. But, the include above that has a ~all and the cisco says softfail because of that.

So my questions is; does SPF define that a first hit is leading and that further hits should be ignored ? Or in other words, is Cisco correct here and all the websites wrong or visa versa ?

1 Accepted Solution

Accepted Solutions

Steflstefan
Level 1
Level 1

RfC 7208 is really clear. First hit matches.
SPF-records are public. Maybe you should post the corresponding SPF record an your sending IP address here?
It would be more easier to help you.
Greez

View solution in original post

5 Replies 5

Steflstefan
Level 1
Level 1

RfC 7208 is really clear. First hit matches.
SPF-records are public. Maybe you should post the corresponding SPF record an your sending IP address here?
It would be more easier to help you.
Greez

stefan-stefan
Level 1
Level 1

Thank you @Steflstefan that was the info I was looking for So cisco is correct and lots of spf check sites aren't (which was to be expected perhaps). But I also think a lot of mail configs are wrong then potentially. 

This is a madeup example (eventhough info is public I don't feel comfortable sharing someone's misconfigs potentially):

Sending mailhost is 1.2.3.4, domain is mydomain.net
spf record is v=spf1 a:notymyserver.net a:alsonomyserver.net include:spf.anotherparty.com include:spf.yesmail.com -all

notmyserver.net resolves to 2.2.2.2
alsonotmyserver.net resolves to 3.3.3.3
spf.anotherparty.com contains this : v=spf1 ipv4:4.4.4.4 ~all
spf.yesmail.com contains this : v=spf1 ipv4:1.2.3.4 -all 

Cisco reports this as softfail, which is correct if a match causes processing to stop.
But all websites that allow you check spf records against ip adrress (like mxtoolbox) will say pass.

And I have just been checking some more parties and they all have includes with ~all and -all's in the includes.

(probably I am missing something abvious)

stefan-stefan
Level 1
Level 1

Hmm, looking further into the include mechanism of the RFC I perhaps am thinking that Cisco is wrong (sorry for going back and forth).
This I have from the RFC :

+---------------------------------+---------------------------------+
   | A recursive check_host() result | Causes the "include" mechanism  |
   | of:                             | to:                             |
   +---------------------------------+---------------------------------+
   | pass                            | match                           |
   |                                 |                                 |
   | fail                            | not match                       |
   |                                 |                                 |
   | softfail                        | not match                       |
   |                                 |                                 |
   | neutral                         | not match                       |
   |                                 |                                 |
   | temperror                       | return temperror                |
   |                                 |                                 |
   | permerror                       | return permerror                |
   |                                 |                                 |
   | none                            | return permerror                |
   +---------------------------------+---------------------------------+

So if an include contains -all or ~all always results in "not match" being given back to the the main spf process (that perhaps isn't the correct wording but I am sure you all understand

Ok.

But this from your explanation looks quite wrong:
spf.anotherparty.com contains this : v=spf1 a:4.4.4.4 ~all
spf.yesmail.com contains this : v=spf1 a:1.2.3.4 -all 

If you use an ip address, you should use ip4: not a:. 
Try vamsoft SPF checker https://vamsoft.com/support/tools/spf-policy-tester

stefan-stefan
Level 1
Level 1

Sorry my bad, but this is not about the syntax, its about the theorie of how the includes are interpreted (that was just a quick example).