libspf2 icon indicating copy to clipboard operation
libspf2 copied to clipboard
verified publisher icon shevek

spfquery: incorrect exit code on SPF record parse error

Open bAndie91 opened this issue 5 years ago • 2 comments

hi, I get this output when validating a mail_from address on a domain which has an invalid spf record. it returns undocumented 0 code, however it should return 7 - permanent error. ordinary output lines: result code is (invalid), empty line for explanation, empty line for Received-SPF header.

spf record:

"v=spf1 " "ip4:184.104.202.128/27 ip4:184.104.202.96/27 ip4:216.218.159.0/27 ip4:216.218.240.64/26 ip4:64.71.168.192/26 ip4:65.19.128.64/26 ip4:66.220.12.128/27 ip4:72.52.80.0/26 ip4:64.62.250.96/27 " "ip6:2001:470:1:235::/64 ip6:2001:470:1:258::/64 ip6:2001:470:1:3a8::/64 ip6:2001:470:1:59e::/64 ip6:2001:470:1:669::/64 ip6:2001:470:1:791::/64 ip6:2001:470:1:9a5::/64 ip6:2001:470:1:9f1::/64 2602:fd3f:0000:ff06::/64 include:mailgun.org " "mx ptr ~all"

results:

spfquery -ip 66.220.12.154 -sender [email protected]

StartError
Context: Failed to query MAIL-FROM
ErrorCode: (2) Could not find a valid SPF record
Error: Invalid character at start of mechanism near '2602:fd3f:00'
Error: Failed to compile SPF record for 'discoursemail.com'
EndError
(invalid)

I looked into, but could not find an easy way to fix it, since error is detected in SPF_record_compile(), then the whole record parsing is given up, returning early to the caller SPF_request_query_mailfrom(). so no chance to ignore buggy parts of the record and process anyway. I suggest to have an -ignore-invalid option to ignore unknown words. in my and most cases, it would not hurt because there is either a pass rule or ~all/-all takes effect.

bAndie91 avatar Sep 20 '20 21:09 bAndie91

This is what I see:

>spfquery -ip 66.220.12.154 -sender [email protected]
pass

spfquery: domain of discoursemail.com designates 66.220.12.154 as permitted sender
Received-SPF: pass (spfquery: domain of discoursemail.com designates 66.220.12.154 as permitted sender) client-ip=66.220.12.154; [email protected];

hdatma avatar Oct 13 '21 17:10 hdatma

yes it works now for this particular domain because they fixed their spf record. note the 2602:fd3f:00 part without ip6: prefix: this is the buggy part which makes the evaluation fail.

bAndie91 avatar Jan 26 '22 08:01 bAndie91