On 08/29/2012 10:20 PM, Håkon Alstadheim wrote: > On 29. aug. 2012 15:41, Tiemen Ruiten wrote: >> Hello, >> >> Could anyone tell me what's wrong with the SPF-record for >> cust-spf-inc4.exacttarget.com? >> >> Policyd has been rejecting a few emails with the following error: >> >> Recipient address rejected: Failed SPF check; >> bounce.email.nridigital.com ... cust-spf-inc4.exacttarget.com, Junk >> encountered in record 'v=spf1 ip4:66.231.90.0/24 ip4:66.231.93.0/24 >> ip4:66.231.95.0/24 ip4:209.43.22.0/28 ip4:207.67.98.192/27 >> ip4:68.232.200.0/24 199.122.123.0/24 -all'; >> >> > > Since you've had no replies yet, I'll hazard a hunch without having > looked at the spf1 spec: > expanding all the "includes" in bounce.email.nridigital.com gives > multiple "-all" with stuff after them. Might be relevant ? > >
I believe I should conclude from the spec that multiple -all entries shouldn't be a problem: http://www.ietf.org/rfc/rfc4408.txt 5.2. "include" include = "include" ":" domain-spec The "include" mechanism triggers a recursive evaluation of check_host(). The domain-spec is expanded as per Section 8. Then check_host() is evaluated with the resulting string as the <domain>. The <ip> and <sender> arguments remain the same as in the current evaluation of check_host(). In hindsight, the name "include" was poorly chosen. Only the evaluated result of the referenced SPF record is used, rather than acting as if the referenced SPF record was literally included in the first. For example, evaluating a "-all" directive in the referenced record does not terminate the overall processing and does not necessarily result in an overall "Fail". (Better names for this mechanism would have been "if-pass", "on-pass", etc.) The "include" mechanism makes it possible for one domain to designate multiple administratively-independent domains. For example, a vanity domain "example.net" might send mail using the servers of administratively-independent domains example.com and example.org. Example.net could say IN TXT "v=spf1 include:example.com include:example.org -all" This would direct check_host() to, in effect, check the records of example.com and example.org for a "Pass" result. Only if the host were not permitted for either of those domains would the result be "Fail". Any other ideas? Tiemen _______________________________________________ Users mailing list [email protected] http://lists.policyd.org/mailman/listinfo/users_lists.policyd.org
