Thanks, I see same thing test right now, I’ll report it.
Frank From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Kurt Andersen (b) Sent: Friday, April 29, 2016 12:40 PM To: Steve Atkins <st...@blighty.com> Cc: mailop <mailop@mailop.org> Subject: Re: [mailop] SPF check overly stringent? On Fri, Apr 29, 2016 at 10:33 AM, Kurt Andersen (b) <kb...@drkurt.com <mailto:kb...@drkurt.com> > wrote: On Fri, Apr 29, 2016 at 10:17 AM, Steve Atkins <st...@blighty.com <mailto:st...@blighty.com> > wrote: > On Apr 29, 2016, at 9:52 AM, Frank Bulk <frnk...@iname.com > <mailto:frnk...@iname.com> > wrote: > > I also removed 'mx' because this tool > (http://vamsoft.com/support/tools/spf-policy-tester) was failing on pulling > the AAAA for each of the domain's four MX records. Try the vamsoft site > with 2607:fe28:0:4000::20 and to see how sigiowa.com <http://sigiowa.com> > used to fail. > > Is Vamsoft's check too stringent? More like "broken" - but I can see how RFC 7208 might make them think it's correct behaviour if they didn't think about real-world use of DNS. > Does it seriously matter that it can't > find the AAAA for the domain's four MX records? Shouldn't an SPF check for > the domain's MX records just look for an A or AAAA? Using Kitterman's test framework at http://www.kitterman.com/spf/validate.html it looks like it only tries the AAAA lookups if the connecting IP is IPv6. With the python SPF library, it will mark the results as "ambiguous" if it stumbles on the MX method that doesn't authorize any IPv6 addresses. Checking with yet another online tester (http://tools.bevhost.com/spf/ - cited by openspf.org <http://openspf.org> ), it doesn't seem to handle IPv6 ranges properly, or misinterprets the void lookup failure as a softfail. --Kurt
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
