Internet.nl icon indicating copy to clipboard operation
Internet.nl copied to clipboard

Published 20 hours ago verified publisher icon internetstandards

Check for max of 10 DNS lookups in SPF test

Open baknu opened this issue 6 years ago • 6 comments

We currently only count 'redirect' and 'include' as DNS lookups, but not 'a', 'mx', 'ptr' and 'exist'. See RFC: https://tools.ietf.org/html/rfc7208#section-4.6.4 Exceeding 10 DNS lookups is a common SPF error: https://blogs.msdn.microsoft.com/tzink/2016/02/19/common-errors-in-spf-records/

baknu avatar Dec 12 '17 13:12 baknu

See also mail conversation between DB, GT and BK (11 and 12 July 2018).

baknu avatar Jul 12 '18 11:07 baknu

pull request https://github.com/NLnetLabs/Internet.nl/pull/519

sinteur avatar Mar 05 '21 10:03 sinteur

The code is included in 1.4. However, the content is not as this should have been added to the content repo seperately. Content is now planned for 1.5.

baknu avatar May 03 '22 13:05 baknu

  1. Content changes made in:
  • /detail/mail/auth/spf-policy/verdict/max-lookups_*.md
  • /detail/mail/auth/spf-policy/explanation_*.md
  1. In his mail on 12th of july 2018 @gthess made the following remark: "We could but it is going to be a partial test because there could be macros that we can't expand to continue the DNS lookup. So if we say that you don't exceed the 10 DNS lookup limit we may be wrong. I think this was the result of the discussion we had last time and that's why we said to respect the limit but don't actually check for it." Not sure if we should address this point in the content. @mxsasha What do you think?

baknu avatar Jul 12 '22 19:07 baknu

"We could but it is going to be a partial test because there could be macros that we can't expand to continue the DNS lookup. So if we say that you don't exceed the 10 DNS lookup limit we may be wrong. I think this was the result of the discussion we had last time and that's why we said to respect the limit but don't actually check for it." Not sure if we should address this point in the content.

I don't have full context, but if we have a test that is incomplete, we should definitely note that in the content. Otherwise users might incorrectly think their setup is fine, when there is an issue, which is harmful.

mxsasha avatar Aug 29 '22 10:08 mxsasha

Is it possible to show the number of DNS lookups that were necessary to get the full SPF record? If so, then I suggest we show this.

dennisbaaten avatar Sep 13 '22 12:09 dennisbaaten

I don't have full context, but if we have a test that is incomplete, we should definitely note that in the content. Otherwise users might incorrectly think their setup is fine, when there is an issue, which is harmful.

Done. Made some content changes to make this more clear.

baknu avatar Mar 15 '23 13:03 baknu

Is it possible to show the number of DNS lookups that were necessary to get the full SPF record? If so, then I suggest we show this.

If we have this information available, we could show it:

  • in a tech table for the "SPF policy" subtest AND/OR
  • in the verdict message detail/mail/auth/spf-policy/verdict/max-lookups_en.md

@mxsasha What do you think?

baknu avatar Mar 15 '23 13:03 baknu

If we have this information available, we could show it:

I think we have it in the database, that's how I counted.

* in a tech table for the "SPF policy" subtest

Seems like a good place.

* in the verdict message detail/mail/auth/spf-policy/verdict/max-lookups_en.md

This may be possible with extra work, but would also be inconsistent with current practice where verdict messages are more generic, with details in the tech table.

mxsasha avatar Mar 15 '23 13:03 mxsasha

Ok, let's go for the first option. Shall we add an issue for this to the next version (1.8)?

baknu avatar Mar 15 '23 13:03 baknu