Internet.nl
Internet.nl copied to clipboard
Check for max of 10 DNS lookups in SPF test
We currently only count 'redirect' and 'include' as DNS lookups, but not 'a', 'mx', 'ptr' and 'exist'. See RFC: https://tools.ietf.org/html/rfc7208#section-4.6.4 Exceeding 10 DNS lookups is a common SPF error: https://blogs.msdn.microsoft.com/tzink/2016/02/19/common-errors-in-spf-records/
See also mail conversation between DB, GT and BK (11 and 12 July 2018).
pull request https://github.com/NLnetLabs/Internet.nl/pull/519
The code is included in 1.4. However, the content is not as this should have been added to the content repo seperately. Content is now planned for 1.5.
- Content changes made in:
- /detail/mail/auth/spf-policy/verdict/max-lookups_*.md
- /detail/mail/auth/spf-policy/explanation_*.md
- In his mail on 12th of july 2018 @gthess made the following remark: "We could but it is going to be a partial test because there could be macros that we can't expand to continue the DNS lookup. So if we say that you don't exceed the 10 DNS lookup limit we may be wrong. I think this was the result of the discussion we had last time and that's why we said to respect the limit but don't actually check for it." Not sure if we should address this point in the content. @mxsasha What do you think?
"We could but it is going to be a partial test because there could be macros that we can't expand to continue the DNS lookup. So if we say that you don't exceed the 10 DNS lookup limit we may be wrong. I think this was the result of the discussion we had last time and that's why we said to respect the limit but don't actually check for it." Not sure if we should address this point in the content.
I don't have full context, but if we have a test that is incomplete, we should definitely note that in the content. Otherwise users might incorrectly think their setup is fine, when there is an issue, which is harmful.
Is it possible to show the number of DNS lookups that were necessary to get the full SPF record? If so, then I suggest we show this.
I don't have full context, but if we have a test that is incomplete, we should definitely note that in the content. Otherwise users might incorrectly think their setup is fine, when there is an issue, which is harmful.
Done. Made some content changes to make this more clear.
Is it possible to show the number of DNS lookups that were necessary to get the full SPF record? If so, then I suggest we show this.
If we have this information available, we could show it:
- in a tech table for the "SPF policy" subtest AND/OR
- in the verdict message detail/mail/auth/spf-policy/verdict/max-lookups_en.md
@mxsasha What do you think?
If we have this information available, we could show it:
I think we have it in the database, that's how I counted.
* in a tech table for the "SPF policy" subtest
Seems like a good place.
* in the verdict message detail/mail/auth/spf-policy/verdict/max-lookups_en.md
This may be possible with extra work, but would also be inconsistent with current practice where verdict messages are more generic, with details in the tech table.
Ok, let's go for the first option. Shall we add an issue for this to the next version (1.8)?