Mailing List Archive

Dejan Petrovic wrote:

> if 'include' say 'neutral' and main say 'fail' what's result ?

If "include" doesn't say PASS it doesn't match => no result at
this point in the "main" policy. Otherwise (include PASS and
the "main" idea was -include:some.pass.example) it would be a
FAIL.

> if 'include' say 'none' (spf record just not exists) and main
> say 'fail' or 'softfail' what is result ?

Please check this in draft-schlitt-spf-classic-00, IIRC that's
a PermError.

> - mecahnisms must be procesed in given order (or something
> like this) but also say - ptr mechanism can be expensive,
> must be procesed after others (or something like this)

Where did you see this ? ptr is "deprecated", it's better to
avoid it. But if it's there process it in the given order,
maybe with a PermError (?) for more than 10 names. Normally
you never sort mechanisms, only redirect= (a modifier) is
processed after all other mechanisms, even if the redirect=
is not near the end.

BTW, in a sender policy with "all" a redirect= has no effect.

Bye, Frank


-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

-----Original Message-----
From: owner-spf-devel@v2.listbox.com [mailto:owner-spf-devel@v2.listbox.com]
On Behalf Of Frank Ellermann
Sent: Saturday, March 26, 2005 8:00 AM
To: spf-devel@v2.listbox.com
Subject: [spf-devel] Re: Logical problem

Dejan Petrovic wrote:



> - mecahnisms must be procesed in given order (or something like this)
> but also say - ptr mechanism can be expensive, must be procesed after
> others (or something like this)

Where did you see this ? ptr is "deprecated", it's better to avoid it. But
if it's there process it in the given order, maybe with a PermError (?) for
more than 10 names. Normally you never sort mechanisms, only redirect= (a
modifier) is processed after all other mechanisms, even if the redirect= is
not near the end.

http://ietf.org/internet-drafts/draft-schlitt-spf-classic-00.txt (this is
last, december 2004 as I can find)
Page 20

--- fragment start ---
Note: Use of this mechanism is discouraged because it is slow, is not
as reliable as other mechanisms in cases of DNS errors and it places
a large burden on the arpa name servers. If used, proper PTR records
must be in place for the domain's hosts and the "ptr" mechanism
should be one of the last mechanisms checked.
--- fragment end ---

How to handle this "should be one of the last" ?

For example one bad formed spf should be :
v=spf1 redirect=_spf.a.x.com exp=something ptr mx/28 ?all
or
v=spf1 redirect=_spf.a.x.com exp=something ptr mx/28

How should be procesed it ? Need to be resorted for sure :
- redirect must be last
- ?all should be procesed to match neutral in case of redirect result as
none or fail ?
- ptr shold be last before redirect ?

I understeand what's idea but some admins can made weird definitions, we
need to handle all of stupidity :(

As I see this problem :
- ptr should be excluded in final version
- redirect sepecifitation should be changed to "must be alone, only redirect
mechanism" or "must be last without all in definition"



-------
To unsubscribe, change your address, or temporarily deactivate your
subscription, please go to
http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com


-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

Dejan Petrovic wrote:

> How to handle this "should be one of the last" ?

That's a hint for the publisher of the policy, it means that
you should say "v=spf1 mx ptr -all" instead of an equivalent
"v=spf1 ptr mx -all"

It has nothing directly to do with you as implementor. In
theory you could "sort" adjacent mechanisms with the same
result, -x +u +v +w -y -z is the same as -x +w +v +u -z -y,
but it's probably not the same as -x -y -z +u +v +w.

In other words you could read it as -x (+u +v +w) (-y -z) and
then process (+u +v +w) in any order you prefer, dito (-y -z).

OTOH it's not what you want in the case of errors. Therefore
the draft says, that the _publisher_ should move any ptr as far
right as possible. You as _implementor_ better evaluate what
you get without trying to be too smart.

> but some admins can made weird definitions, we need to handle
> all of stupidity :(

Oh yes, as an SPF implementor you better concentrate all your
efforts on the error handling... ;-)

Example in your next message:

>| v=spf1 mx a:cat99 mx:mta ip4:206.14.191.77/32
>| include:snapfish.com ?all

> mx:mta <- ignore it or PermError ? (I think permError but
> mdaemon just pass it)

Let's see, is "mta" a syntax error ? It's not allowed in RfC
2821 (missing dot in FQDN), but SPF isn't RfC 2821.

| domain-spec = macro-string domain-end

domain-end can't be empty, but macro-string can be empty, and
therefore "mta" is a domain-end or a syntax error

| domain-end = ( "." toplabel ) / macro-expand

macro-expand is something with a "%{", "mta" does't start with
a dot "." or "%{", therefore mta is a syntax error. With the
"validating implementation" idea in spf-classic-00 this policy
is syntactically invalid => PermError.

Don't try this with the so-called "reference implementation",
this beast had another "be liberal" philosophy and is obsolete.

Bye, Frank


-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

On Sat, Mar 26, 2005 at 07:38:42PM -0400, Dejan Petrovic wrote:
> I understeand what's idea but some admins can made weird definitions, we
> need to handle all of stupidity :(

Stupidity is best handled by giving big fat error messages. Please don't
fall in to the trap of accomodating errors in the spf record, stick to
the spf specs or else you'll manouver us all into a quandary none of us
wishes to end up in..

We've had this discussion from time to time: should we accomodate in the
specs for this and that common made error in publishing spf. The answer
usually was a resounding 'no'. If people make errors in their spf
record, err. Don't process it as if nothing is wrong.

Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, hosting, embedded systems, unix, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

I'm afraid you don't understeand me :

If anyone put here
'a:%(d)'
This is error

But if anyone put here :
'ptr a mx all'
This is load on arpa servers, I know he made error, not me, but do I need to
support it ?

I'm giving up, gona let this in given order, someone else should think about
it, or ... maybe should just ignore 'ptr' ?


One another problem :
On the site
http://spf.pobox.com/mechanisms.html#extensions
Is described extensions mechanism, but I can't find definition of this in
http://ietf.org/internet-drafts/draft-schlitt-spf-classic-00.txt
Actually don't underesteand how to process it, should just ignore any
unknown mechanism ?


-------------------
Stupidity is best handled by giving big fat error messages. Please don't
fall in to the trap of accomodating errors in the spf record, stick to the
spf specs or else you'll manouver us all into a quandary none of us wishes
to end up in..

We've had this discussion from time to time: should we accomodate in the
specs for this and that common made error in publishing spf. The answer
usually was a resounding 'no'. If people make errors in their spf record,
err. Don't process it as if nothing is wrong.





-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

Dejan Petrovic wrote:

> 'ptr a mx all'
> This is load on arpa servers, I know he made error, not me,
> but do I need to support it ?

Yes. It's no "error", it's bad, a waste of bandwidth, like a
mail signature with more than four lines.

> or ... maybe should just ignore 'ptr' ?

Difficult, you can't ignore it only because you don't like it.

The only way to "ignore" the ptr would be to exit from the SPF
evaluation, i.e. checkhost(), with a non-SPF result like
"let's assume that checkhost() was never called". You can't
return PermError, "ptr mx a" is no PermError, it's bad but not
illegal. You can't ignore a ptr in "ptr -all" and return FAIL.

Maybe you could abuse TempError, "TempError your policy sucks",
but I don't think that that's a good idea. Last but not least
you can't say NONE in a Received-SPF header if there clearly
is a sender policy.

> http://spf.pobox.com/mechanisms.html#extensions
> Is described extensions mechanism

That's obsolete, forget it.

> Actually don't underesteand how to process it, should just
> ignore any unknown mechanism ?

No, unknown SPF mechanisms are now a syntax error (PermError).

Like unknown macros. Only unknown modifiers are allowed. That
was changed later in the standards process, the spf.pobox.com
site is obsolete, the SPF Council plans to update it "soon".

Where "soon" is probably some date between yesterday and never.

Bye. Frank


-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

Hi again,

If I starting to pissOff someone don't worry, I'm almost done :), just to
solve few problems more :

Main spf policy can have many includes, ok, I need to evaluate all of them
but :
- if second include have third include, 4,5,6 ... Khm, this must be stopped,
how in depth I need to go ?
- same problem with redirect

Redirect is not that hard load actually, I should stop it at 15-th redirect
(and permError), I had to resolve 15 domains and this should be ok

1. Hard problem is :
Main policy can have 10 includes (for example)
Second include can have 10 other includes
3rd include can have 10 new includes (I'm already on 1000 resolvings)


I already have handled recursive include, when one domain is repeated first
time this is permError but what to do with includes if there are all
diferent domains ? Need to support many and don't know how much. Maybe 10
levels max and sum this 10 levels must be max 50 domains ? Any idea ? How
you all have handled it ?




2. One question more:
When someone repeat mechanism, for example (I already was see that online):
IP4:123.123.123.123 IP4:32.32.32.32/28 IP4:123.123.123.123 <- twice
123.123.123.123
This should be ok or error ?
Same problem, next level :

Domain example.com
IP4:123.123.123.123 include:example:org

Domain: example.org
A IP4:123.123.123.123 <- again have same ip, but this one is in include
What to do ? This should be ok but ... What all you think ?


Tnx in advance
Dejan Petrovic


-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

Dejan Petrovic wrote:

> If I starting to pissOff someone don't worry

No problem so far... ;-)

> Main spf policy can have many includes, ok, I need to
> evaluate all of them but :
> - if second include have third include, 4,5,6 ... Khm,
> this must be stopped, how in depth I need to go ?

You count to ten, each "a", "mx", "include", "exists", "ptr"
counted as "one DNS mechanism". Don't count "ip4" or ip6" or
"all", they don't need additional DNS queries. And if your
counter reaches 11 throw PermError (illegal sender policy).

> - same problem with redirect

Same solution, count "redirect=" as "one DNS mechanism".
Ok., it's a modifier and no mechanism, but you count it anyway.

But don't count "exp=", you already have a result FAIL at this
point, it would be stupid to replace it by a counter PermError.

> I should stop it at 15-th redirect (and permError), I had to
> resolve 15 domains and this should be ok

The limit is 10. It's better if all implementations enforce
the same limit, otherwise the same policy would sometimes work
and sometimes get a PermError, that would be a mess. (In fact
it _IS_ a mess at the moment, the limit 10 is rather new, old
SPF implementations did whatever they liked... ;-)

> Main policy can have 10 includes (for example)
> Second include can have 10 other includes
> 3rd include can have 10 new includes (I'm already on 1000
> resolvings)

Yes, that's bad, therefore the hard limit is 10, not 1000.

> Any idea ? How you all have handled it ?

See Wayne's draft-schlitt-spf-classic-00. There was a lot of
discussion (over on the spf-discuss list) in the last days how
to make the hard 10 even harder, but the "rough consensus" was
that it's good enough at the moment. Not nice but good enough.

> IP4:123.123.123.123 IP4:32.32.32.32/28 IP4:123.123.123.123
> <- twice 123.123.123.123
> This should be ok or error ?

Okay. You could also have "v=spf1 a a a a a a a a a a -all",
10 a mechanisms, but not "v=spf1 a a a a a a a a a a a -all".

> Domain example.com
> IP4:123.123.123.123 include:example:org
> Domain: example.org
> A IP4:123.123.123.123 <- again have same ip, but this one is
> in include What to do ? This should be ok but ...

Sure. It's a stupid or dubious SPF policy, but not invalid.
And it's much better than "v=spf1 mickey=mouse" (also valid,
result NEUTRAL, because "?all" is the default).

Bye, Frank



-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

Confirm me do I understeand please :

Evaluating example.com: "v=spf1 a a a a a mx mx include:example.org -all"
Evaluating example.org: "v=spf1 a a ptr <STOP HERE AND RETURN NEUTRAL> a ptr
-all"
Because 7 in first and 3 in second are 10 ?

Or better :
Evaluating example.com: "v=spf1 a a a a a mx mx include:example.org -all"
Evaluating example.org: "v=spf1 a mickey=mouse a <STOP HERE AND RETURN
Because count also mickey ?


-----Original Message-----
From: owner-spf-devel@v2.listbox.com [mailto:owner-spf-devel@v2.listbox.com]
On Behalf Of Frank Ellermann
Sent: Thursday, March 31, 2005 4:45 AM
To: spf-devel@v2.listbox.com
Subject: [spf-devel] Re: Logical problem

Dejan Petrovic wrote:

> If I starting to pissOff someone don't worry

No problem so far... ;-)

> Main spf policy can have many includes, ok, I need to evaluate all of
> them but :
> - if second include have third include, 4,5,6 ... Khm,
> this must be stopped, how in depth I need to go ?

You count to ten, each "a", "mx", "include", "exists", "ptr"
counted as "one DNS mechanism". Don't count "ip4" or ip6" or "all", they
don't need additional DNS queries. And if your counter reaches 11 throw
PermError (illegal sender policy).

> - same problem with redirect

Same solution, count "redirect=" as "one DNS mechanism".
Ok., it's a modifier and no mechanism, but you count it anyway.

But don't count "exp=", you already have a result FAIL at this point, it
would be stupid to replace it by a counter PermError.

> I should stop it at 15-th redirect (and permError), I had to resolve
> 15 domains and this should be ok

The limit is 10. It's better if all implementations enforce the same limit,
otherwise the same policy would sometimes work and sometimes get a
PermError, that would be a mess. (In fact it _IS_ a mess at the moment, the
limit 10 is rather new, old SPF implementations did whatever they liked...
;-)

> Main policy can have 10 includes (for example) Second include can have
> 10 other includes 3rd include can have 10 new includes (I'm already on
> 1000
> resolvings)

Yes, that's bad, therefore the hard limit is 10, not 1000.

> Any idea ? How you all have handled it ?

See Wayne's draft-schlitt-spf-classic-00. There was a lot of discussion
(over on the spf-discuss list) in the last days how to make the hard 10 even
harder, but the "rough consensus" was that it's good enough at the moment.
Not nice but good enough.

> IP4:123.123.123.123 IP4:32.32.32.32/28 IP4:123.123.123.123
> <- twice 123.123.123.123
> This should be ok or error ?

Okay. You could also have "v=spf1 a a a a a a a a a a -all", 10 a
mechanisms, but not "v=spf1 a a a a a a a a a a a -all".

> Domain example.com
> IP4:123.123.123.123 include:example:org
> Domain: example.org
> A IP4:123.123.123.123 <- again have same ip, but this one is in
> include What to do ? This should be ok but ...

Sure. It's a stupid or dubious SPF policy, but not invalid.
And it's much better than "v=spf1 mickey=mouse" (also valid, result NEUTRAL,
because "?all" is the default).

Bye, Frank



-------
To unsubscribe, change your address, or temporarily deactivate your
subscription, please go to
http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com


-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

Wayne's draft-schlitt-spf-classic-00 is discussion group ? Where is ?


-----Original Message-----
From: owner-spf-devel@v2.listbox.com [mailto:owner-spf-devel@v2.listbox.com]
On Behalf Of Frank Ellermann
Sent: Thursday, March 31, 2005 4:45 AM
To: spf-devel@v2.listbox.com
Subject: [spf-devel] Re: Logical problem

Dejan Petrovic wrote:

> If I starting to pissOff someone don't worry

No problem so far... ;-)

> Main spf policy can have many includes, ok, I need to evaluate all of
> them but :
> - if second include have third include, 4,5,6 ... Khm,
> this must be stopped, how in depth I need to go ?

You count to ten, each "a", "mx", "include", "exists", "ptr"
counted as "one DNS mechanism". Don't count "ip4" or ip6" or "all", they
don't need additional DNS queries. And if your counter reaches 11 throw
PermError (illegal sender policy).

> - same problem with redirect

Same solution, count "redirect=" as "one DNS mechanism".
Ok., it's a modifier and no mechanism, but you count it anyway.

But don't count "exp=", you already have a result FAIL at this point, it
would be stupid to replace it by a counter PermError.

> I should stop it at 15-th redirect (and permError), I had to resolve
> 15 domains and this should be ok

The limit is 10. It's better if all implementations enforce the same limit,
otherwise the same policy would sometimes work and sometimes get a
PermError, that would be a mess. (In fact it _IS_ a mess at the moment, the
limit 10 is rather new, old SPF implementations did whatever they liked...
;-)

> Main policy can have 10 includes (for example) Second include can have
> 10 other includes 3rd include can have 10 new includes (I'm already on
> 1000
> resolvings)

Yes, that's bad, therefore the hard limit is 10, not 1000.

> Any idea ? How you all have handled it ?

See Wayne's draft-schlitt-spf-classic-00. There was a lot of discussion
(over on the spf-discuss list) in the last days how to make the hard 10 even
harder, but the "rough consensus" was that it's good enough at the moment.
Not nice but good enough.

> IP4:123.123.123.123 IP4:32.32.32.32/28 IP4:123.123.123.123
> <- twice 123.123.123.123
> This should be ok or error ?

Okay. You could also have "v=spf1 a a a a a a a a a a -all", 10 a
mechanisms, but not "v=spf1 a a a a a a a a a a a -all".

> Domain example.com
> IP4:123.123.123.123 include:example:org
> Domain: example.org
> A IP4:123.123.123.123 <- again have same ip, but this one is in
> include What to do ? This should be ok but ...

Sure. It's a stupid or dubious SPF policy, but not invalid.
And it's much better than "v=spf1 mickey=mouse" (also valid, result NEUTRAL,
because "?all" is the default).

Bye, Frank



-------
To unsubscribe, change your address, or temporarily deactivate your
subscription, please go to
http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com


-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

It is the current draft SPF specification, found here:

http://www.ietf.org/internet-drafts/draft-schlitt-spf-classic-00.txt

Discussion about this and much more can be found on the spf-discuss list
(sign up the same place you signed up for spf-devel).

Scott Kitterman

>-----Original Message-----
>From: owner-spf-devel@v2.listbox.com
>[mailto:owner-spf-devel@v2.listbox.com]On Behalf Of Dejan Petrovic
>Sent: Thursday, March 31, 2005 8:53 AM
>To: spf-devel@v2.listbox.com
>Subject: RE: [spf-devel] Re: Logical problem
>
>
>Wayne's draft-schlitt-spf-classic-00 is discussion group ? Where is ?
>
>
>-----Original Message-----
>From: owner-spf-devel@v2.listbox.com
>[mailto:owner-spf-devel@v2.listbox.com]
>On Behalf Of Frank Ellermann
>Sent: Thursday, March 31, 2005 4:45 AM
>To: spf-devel@v2.listbox.com
>Subject: [spf-devel] Re: Logical problem
>
>Dejan Petrovic wrote:
>
>> If I starting to pissOff someone don't worry
>
>No problem so far... ;-)
>
>> Main spf policy can have many includes, ok, I need to evaluate all of
>> them but :
>> - if second include have third include, 4,5,6 ... Khm,
>> this must be stopped, how in depth I need to go ?
>
>You count to ten, each "a", "mx", "include", "exists", "ptr"
>counted as "one DNS mechanism". Don't count "ip4" or ip6" or "all", they
>don't need additional DNS queries. And if your counter reaches 11 throw
>PermError (illegal sender policy).
>
>> - same problem with redirect
>
>Same solution, count "redirect=" as "one DNS mechanism".
>Ok., it's a modifier and no mechanism, but you count it anyway.
>
>But don't count "exp=", you already have a result FAIL at this point, it
>would be stupid to replace it by a counter PermError.
>
>> I should stop it at 15-th redirect (and permError), I had to resolve
>> 15 domains and this should be ok
>
>The limit is 10. It's better if all implementations enforce the
>same limit,
>otherwise the same policy would sometimes work and sometimes get a
>PermError, that would be a mess. (In fact it _IS_ a mess at the
>moment, the
>limit 10 is rather new, old SPF implementations did whatever they liked...
>;-)
>
>> Main policy can have 10 includes (for example) Second include can have
>> 10 other includes 3rd include can have 10 new includes (I'm already on
>> 1000
>> resolvings)
>
>Yes, that's bad, therefore the hard limit is 10, not 1000.
>
>> Any idea ? How you all have handled it ?
>
>See Wayne's draft-schlitt-spf-classic-00. There was a lot of discussion
>(over on the spf-discuss list) in the last days how to make the
>hard 10 even
>harder, but the "rough consensus" was that it's good enough at the moment.
>Not nice but good enough.
>
>> IP4:123.123.123.123 IP4:32.32.32.32/28 IP4:123.123.123.123
>> <- twice 123.123.123.123
>> This should be ok or error ?
>
>Okay. You could also have "v=spf1 a a a a a a a a a a -all", 10 a
>mechanisms, but not "v=spf1 a a a a a a a a a a a -all".
>
>> Domain example.com
>> IP4:123.123.123.123 include:example:org
>> Domain: example.org
>> A IP4:123.123.123.123 <- again have same ip, but this one is in
>> include What to do ? This should be ok but ...
>
>Sure. It's a stupid or dubious SPF policy, but not invalid.
>And it's much better than "v=spf1 mickey=mouse" (also valid,
>result NEUTRAL,
>because "?all" is the default).
>
> Bye, Frank
>
>
>
>-------
>To unsubscribe, change your address, or temporarily deactivate your
>subscription, please go to
>http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com
>
>
>-------
>To unsubscribe, change your address, or temporarily deactivate
>your subscription,
>please go to
http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

From http://www.ietf.org/internet-drafts/draft-schlitt-spf-classic-00.txt,
page 22, paragraph 6:

"Unrecognized modifiers SHOULD be ignored no matter where in a record, nor
how often."

Since mickey is unrecognized, it should not be counted.

Scott Kitterman

>-----Original Message-----
>From: owner-spf-devel@v2.listbox.com
>[mailto:owner-spf-devel@v2.listbox.com]On Behalf Of Dejan Petrovic
>Sent: Thursday, March 31, 2005 8:38 AM
>To: spf-devel@v2.listbox.com
>Subject: RE: [spf-devel] Re: Logical problem
>
>
>Confirm me do I understeand please :
>
>Evaluating example.com: "v=spf1 a a a a a mx mx include:example.org -all"
>Evaluating example.org: "v=spf1 a a ptr <STOP HERE AND RETURN
>NEUTRAL> a ptr
>-all"
>Because 7 in first and 3 in second are 10 ?
>
>Or better :
>Evaluating example.com: "v=spf1 a a a a a mx mx include:example.org -all"
>Evaluating example.org: "v=spf1 a mickey=mouse a <STOP HERE AND RETURN
>NEUTRAL> ptr a ptr -all"
>Because count also mickey ?
>
>
>-----Original Message-----
>From: owner-spf-devel@v2.listbox.com
>[mailto:owner-spf-devel@v2.listbox.com]
>On Behalf Of Frank Ellermann
>Sent: Thursday, March 31, 2005 4:45 AM
>To: spf-devel@v2.listbox.com
>Subject: [spf-devel] Re: Logical problem
>
>Dejan Petrovic wrote:
>
>> If I starting to pissOff someone don't worry
>
>No problem so far... ;-)
>
>> Main spf policy can have many includes, ok, I need to evaluate all of
>> them but :
>> - if second include have third include, 4,5,6 ... Khm,
>> this must be stopped, how in depth I need to go ?
>
>You count to ten, each "a", "mx", "include", "exists", "ptr"
>counted as "one DNS mechanism". Don't count "ip4" or ip6" or "all", they
>don't need additional DNS queries. And if your counter reaches 11 throw
>PermError (illegal sender policy).
>
>> - same problem with redirect
>
>Same solution, count "redirect=" as "one DNS mechanism".
>Ok., it's a modifier and no mechanism, but you count it anyway.
>
>But don't count "exp=", you already have a result FAIL at this point, it
>would be stupid to replace it by a counter PermError.
>
>> I should stop it at 15-th redirect (and permError), I had to resolve
>> 15 domains and this should be ok
>
>The limit is 10. It's better if all implementations enforce the
>same limit,
>otherwise the same policy would sometimes work and sometimes get a
>PermError, that would be a mess. (In fact it _IS_ a mess at the
>moment, the
>limit 10 is rather new, old SPF implementations did whatever they liked...
>;-)
>
>> Main policy can have 10 includes (for example) Second include can have
>> 10 other includes 3rd include can have 10 new includes (I'm already on
>> 1000
>> resolvings)
>
>Yes, that's bad, therefore the hard limit is 10, not 1000.
>
>> Any idea ? How you all have handled it ?
>
>See Wayne's draft-schlitt-spf-classic-00. There was a lot of discussion
>(over on the spf-discuss list) in the last days how to make the
>hard 10 even
>harder, but the "rough consensus" was that it's good enough at the moment.
>Not nice but good enough.
>
>> IP4:123.123.123.123 IP4:32.32.32.32/28 IP4:123.123.123.123
>> <- twice 123.123.123.123
>> This should be ok or error ?
>
>Okay. You could also have "v=spf1 a a a a a a a a a a -all", 10 a
>mechanisms, but not "v=spf1 a a a a a a a a a a a -all".
>
>> Domain example.com
>> IP4:123.123.123.123 include:example:org
>> Domain: example.org
>> A IP4:123.123.123.123 <- again have same ip, but this one is in
>> include What to do ? This should be ok but ...
>
>Sure. It's a stupid or dubious SPF policy, but not invalid.
>And it's much better than "v=spf1 mickey=mouse" (also valid,
>result NEUTRAL,
>because "?all" is the default).
>
> Bye, Frank
>
>
>
>-------
>To unsubscribe, change your address, or temporarily deactivate your
>subscription, please go to
>http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com
>
>
>-------
>To unsubscribe, change your address, or temporarily deactivate
>your subscription,
>please go to
http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

Ok, but other are ok ?

10 is sum of all includes or redirects ?

Or 10 in one and 10 in another and 10 in 3rd ?


Frank Said :
>You count to ten, each "a", "mx", "include", "exists", "ptr"
>counted as "one DNS mechanism". Don't count "ip4" or ip6" or "all",
>they don't need additional DNS queries. And if your counter reaches 11
>throw PermError (illegal sender policy).

But there is part what I don't understeand :
If this si per spf definition I can have many includes, so, this is same
problem (near unlimited number of definitions teoreticaly). In this case in
list of "a", "mx", "include", "exists", "ptr" should be included "include"
and "redirect"

If this is sum for all includes and redirects found then no problem, all
clear



-----Original Message-----
From: owner-spf-devel@v2.listbox.com [mailto:owner-spf-devel@v2.listbox.com]
On Behalf Of spf2@kitterman.com
Sent: Thursday, March 31, 2005 12:06 PM
To: spf-devel@v2.listbox.com
Subject: RE: [spf-devel] Re: Logical problem

From http://www.ietf.org/internet-drafts/draft-schlitt-spf-classic-00.txt,
page 22, paragraph 6:

"Unrecognized modifiers SHOULD be ignored no matter where in a record, nor
how often."

Since mickey is unrecognized, it should not be counted.

Scott Kitterman

>-----Original Message-----
>From: owner-spf-devel@v2.listbox.com
>[mailto:owner-spf-devel@v2.listbox.com]On Behalf Of Dejan Petrovic
>Sent: Thursday, March 31, 2005 8:38 AM
>To: spf-devel@v2.listbox.com
>Subject: RE: [spf-devel] Re: Logical problem
>
>
>Confirm me do I understeand please :
>
>Evaluating example.com: "v=spf1 a a a a a mx mx include:example.org -all"
>Evaluating example.org: "v=spf1 a a ptr <STOP HERE AND RETURN
>NEUTRAL> a ptr
>-all"
>Because 7 in first and 3 in second are 10 ?
>
>Or better :
>Evaluating example.com: "v=spf1 a a a a a mx mx include:example.org -all"
>Evaluating example.org: "v=spf1 a mickey=mouse a <STOP HERE AND RETURN
>NEUTRAL> ptr a ptr -all"
>Because count also mickey ?
>
>
>-----Original Message-----
>From: owner-spf-devel@v2.listbox.com
>[mailto:owner-spf-devel@v2.listbox.com]
>On Behalf Of Frank Ellermann
>Sent: Thursday, March 31, 2005 4:45 AM
>To: spf-devel@v2.listbox.com
>Subject: [spf-devel] Re: Logical problem
>
>Dejan Petrovic wrote:
>
>> If I starting to pissOff someone don't worry
>
>No problem so far... ;-)
>
>> Main spf policy can have many includes, ok, I need to evaluate all of
>> them but :
>> - if second include have third include, 4,5,6 ... Khm,
>> this must be stopped, how in depth I need to go ?
>
>You count to ten, each "a", "mx", "include", "exists", "ptr"
>counted as "one DNS mechanism". Don't count "ip4" or ip6" or "all",
>they don't need additional DNS queries. And if your counter reaches 11
>throw PermError (illegal sender policy).
>
>> - same problem with redirect
>
>Same solution, count "redirect=" as "one DNS mechanism".
>Ok., it's a modifier and no mechanism, but you count it anyway.
>
>But don't count "exp=", you already have a result FAIL at this point,
>it would be stupid to replace it by a counter PermError.
>
>> I should stop it at 15-th redirect (and permError), I had to resolve
>> 15 domains and this should be ok
>
>The limit is 10. It's better if all implementations enforce the same
>limit, otherwise the same policy would sometimes work and sometimes get
>a PermError, that would be a mess. (In fact it _IS_ a mess at the
>moment, the limit 10 is rather new, old SPF implementations did
>whatever they liked...
>;-)
>
>> Main policy can have 10 includes (for example) Second include can
>> have 10 other includes 3rd include can have 10 new includes (I'm
>> already on 1000
>> resolvings)
>
>Yes, that's bad, therefore the hard limit is 10, not 1000.
>
>> Any idea ? How you all have handled it ?
>
>See Wayne's draft-schlitt-spf-classic-00. There was a lot of
>discussion (over on the spf-discuss list) in the last days how to make
>the hard 10 even harder, but the "rough consensus" was that it's good
>enough at the moment.
>Not nice but good enough.
>
>> IP4:123.123.123.123 IP4:32.32.32.32/28 IP4:123.123.123.123
>> <- twice 123.123.123.123
>> This should be ok or error ?
>
>Okay. You could also have "v=spf1 a a a a a a a a a a -all", 10 a
>mechanisms, but not "v=spf1 a a a a a a a a a a a -all".
>
>> Domain example.com
>> IP4:123.123.123.123 include:example:org
>> Domain: example.org
>> A IP4:123.123.123.123 <- again have same ip, but this one is in
>> include What to do ? This should be ok but ...
>
>Sure. It's a stupid or dubious SPF policy, but not invalid.
>And it's much better than "v=spf1 mickey=mouse" (also valid, result
>NEUTRAL, because "?all" is the default).
>
> Bye, Frank
>
>
>
>-------
>To unsubscribe, change your address, or temporarily deactivate your
>subscription, please go to
>http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com
>
>
>-------
>To unsubscribe, change your address, or temporarily deactivate your
>subscription, please go to
http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

-------
To unsubscribe, change your address, or temporarily deactivate your
subscription, please go to
http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com


-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

Once again, from Schlitt-00:

"SPF implementations MUST limit the number of mechanism that do DNS
lookups to at most 10, if this number is exceeded, a PermError MUST
be returned. The mechanisms that count against this limit are
"include", "a", "mx", "ptr", "exists" and the "redirect" modifier.
The "all", "ip4" and "ip6" mechanisms do not require DNS lookups and
therefore do not count against this limit. The "exp" modifier
requires a DNS lookup, but it is not counted as it is used only in
the case of errors.

When evaluating the "mx" and "ptr" mechanisms, or the %{p} macro,
there MUST be a limit of no more than 10 MX or PTR RRs looked up and
checked."

The way I read that, the limit of 10 includes both the includes and the DNS
lookups that result from the includes (or the redirect), so 10 in sume of
all.

Scott Kitterman

>-----Original Message-----
>From: owner-spf-devel@v2.listbox.com
>[mailto:owner-spf-devel@v2.listbox.com]On Behalf Of Dejan Petrovic
>Sent: Thursday, March 31, 2005 12:23 PM
>To: spf-devel@v2.listbox.com
>Subject: RE: [spf-devel] Re: Logical problem
>
>
>Ok, but other are ok ?
>
>10 is sum of all includes or redirects ?
>
>Or 10 in one and 10 in another and 10 in 3rd ?
>
>
>Frank Said :
>>You count to ten, each "a", "mx", "include", "exists", "ptr"
>>counted as "one DNS mechanism". Don't count "ip4" or ip6" or "all",
>>they don't need additional DNS queries. And if your counter reaches 11
>>throw PermError (illegal sender policy).
>
>But there is part what I don't understeand :
>If this si per spf definition I can have many includes, so, this is same
>problem (near unlimited number of definitions teoreticaly). In this case in
>list of "a", "mx", "include", "exists", "ptr" should be included "include"
>and "redirect"
>
>If this is sum for all includes and redirects found then no problem, all
>clear
>
>
>
>-----Original Message-----
>From: owner-spf-devel@v2.listbox.com
>[mailto:owner-spf-devel@v2.listbox.com]
>On Behalf Of spf2@kitterman.com
>Sent: Thursday, March 31, 2005 12:06 PM
>To: spf-devel@v2.listbox.com
>Subject: RE: [spf-devel] Re: Logical problem
>
>>From http://www.ietf.org/internet-drafts/draft-schlitt-spf-classic-00.txt,
>page 22, paragraph 6:
>
>"Unrecognized modifiers SHOULD be ignored no matter where in a record, nor
>how often."
>
>Since mickey is unrecognized, it should not be counted.
>
>Scott Kitterman
>
>>-----Original Message-----
>>From: owner-spf-devel@v2.listbox.com
>>[mailto:owner-spf-devel@v2.listbox.com]On Behalf Of Dejan Petrovic
>>Sent: Thursday, March 31, 2005 8:38 AM
>>To: spf-devel@v2.listbox.com
>>Subject: RE: [spf-devel] Re: Logical problem
>>
>>
>>Confirm me do I understeand please :
>>
>>Evaluating example.com: "v=spf1 a a a a a mx mx include:example.org -all"
>>Evaluating example.org: "v=spf1 a a ptr <STOP HERE AND RETURN
>>NEUTRAL> a ptr
>>-all"
>>Because 7 in first and 3 in second are 10 ?
>>
>>Or better :
>>Evaluating example.com: "v=spf1 a a a a a mx mx include:example.org -all"
>>Evaluating example.org: "v=spf1 a mickey=mouse a <STOP HERE AND RETURN
>>NEUTRAL> ptr a ptr -all"
>>Because count also mickey ?
>>
>>
>>-----Original Message-----
>>From: owner-spf-devel@v2.listbox.com
>>[mailto:owner-spf-devel@v2.listbox.com]
>>On Behalf Of Frank Ellermann
>>Sent: Thursday, March 31, 2005 4:45 AM
>>To: spf-devel@v2.listbox.com
>>Subject: [spf-devel] Re: Logical problem
>>
>>Dejan Petrovic wrote:
>>
>>> If I starting to pissOff someone don't worry
>>
>>No problem so far... ;-)
>>
>>> Main spf policy can have many includes, ok, I need to evaluate all of
>>> them but :
>>> - if second include have third include, 4,5,6 ... Khm,
>>> this must be stopped, how in depth I need to go ?
>>
>>You count to ten, each "a", "mx", "include", "exists", "ptr"
>>counted as "one DNS mechanism". Don't count "ip4" or ip6" or "all",
>>they don't need additional DNS queries. And if your counter reaches 11
>>throw PermError (illegal sender policy).
>>
>>> - same problem with redirect
>>
>>Same solution, count "redirect=" as "one DNS mechanism".
>>Ok., it's a modifier and no mechanism, but you count it anyway.
>>
>>But don't count "exp=", you already have a result FAIL at this point,
>>it would be stupid to replace it by a counter PermError.
>>
>>> I should stop it at 15-th redirect (and permError), I had to resolve
>>> 15 domains and this should be ok
>>
>>The limit is 10. It's better if all implementations enforce the same
>>limit, otherwise the same policy would sometimes work and sometimes get
>>a PermError, that would be a mess. (In fact it _IS_ a mess at the
>>moment, the limit 10 is rather new, old SPF implementations did
>>whatever they liked...
>>;-)
>>
>>> Main policy can have 10 includes (for example) Second include can
>>> have 10 other includes 3rd include can have 10 new includes (I'm
>>> already on 1000
>>> resolvings)
>>
>>Yes, that's bad, therefore the hard limit is 10, not 1000.
>>
>>> Any idea ? How you all have handled it ?
>>
>>See Wayne's draft-schlitt-spf-classic-00. There was a lot of
>>discussion (over on the spf-discuss list) in the last days how to make
>>the hard 10 even harder, but the "rough consensus" was that it's good
>>enough at the moment.
>>Not nice but good enough.
>>
>>> IP4:123.123.123.123 IP4:32.32.32.32/28 IP4:123.123.123.123
>>> <- twice 123.123.123.123
>>> This should be ok or error ?
>>
>>Okay. You could also have "v=spf1 a a a a a a a a a a -all", 10 a
>>mechanisms, but not "v=spf1 a a a a a a a a a a a -all".
>>
>>> Domain example.com
>>> IP4:123.123.123.123 include:example:org
>>> Domain: example.org
>>> A IP4:123.123.123.123 <- again have same ip, but this one is in
>>> include What to do ? This should be ok but ...
>>
>>Sure. It's a stupid or dubious SPF policy, but not invalid.
>>And it's much better than "v=spf1 mickey=mouse" (also valid, result
>>NEUTRAL, because "?all" is the default).
>>
>> Bye, Frank
>>
>>
>>
>>-------
>>To unsubscribe, change your address, or temporarily deactivate your
>>subscription, please go to
>>http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com
>>
>>
>>-------
>>To unsubscribe, change your address, or temporarily deactivate your
>>subscription, please go to
>http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com
>
>-------
>To unsubscribe, change your address, or temporarily deactivate your
>subscription, please go to
>http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com
>
>
>-------
>To unsubscribe, change your address, or temporarily deactivate
>your subscription,
>please go to
>http://v2.listbox.com/member/?listname=spf->devel@v2.listbox.com
>

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

Tnx a lot, I miss this part of definition but this is clear now :


-----Original Message-----
From: <spf2@kitterman.com>
To: <spf-devel@v2.listbox.com>
Date: Thu, 31 Mar 2005 12:50:28 -0500
Subject: RE: [spf-devel] Re: Logical problem

> Once again, from Schlitt-00:
>
> "SPF implementations MUST limit the number of mechanism that do DNS
> lookups to at most 10, if this number is exceeded, a PermError MUST
> be returned. The mechanisms that count against this limit are
> "include", "a", "mx", "ptr", "exists" and the "redirect" modifier.
> The "all", "ip4" and "ip6" mechanisms do not require DNS lookups and
> therefore do not count against this limit. The "exp" modifier
> requires a DNS lookup, but it is not counted as it is used only in
> the case of errors.
>
> When evaluating the "mx" and "ptr" mechanisms, or the %{p} macro,
> there MUST be a limit of no more than 10 MX or PTR RRs looked up and
> checked."
>
> The way I read that, the limit of 10 includes both the includes and the
> DNS
> lookups that result from the includes (or the redirect), so 10 in sume
> of
> all.
>
> Scott Kitterman
>
> >-----Original Message-----
> >From: owner-spf-devel@v2.listbox.com
> >[mailto:owner-spf-devel@v2.listbox.com]On Behalf Of Dejan Petrovic
> >Sent: Thursday, March 31, 2005 12:23 PM
> >To: spf-devel@v2.listbox.com
> >Subject: RE: [spf-devel] Re: Logical problem
> >
> >
> >Ok, but other are ok ?
> >
> >10 is sum of all includes or redirects ?
> >
> >Or 10 in one and 10 in another and 10 in 3rd ?
> >
> >
> >Frank Said :
> >>You count to ten, each "a", "mx", "include", "exists", "ptr"
> >>counted as "one DNS mechanism". Don't count "ip4" or ip6" or "all",
> >>they don't need additional DNS queries. And if your counter reaches
> 11
> >>throw PermError (illegal sender policy).
> >
> >But there is part what I don't understeand :
> >If this si per spf definition I can have many includes, so, this is
> same
> >problem (near unlimited number of definitions teoreticaly). In this
> case in
> >list of "a", "mx", "include", "exists", "ptr" should be included
> "include"
> >and "redirect"
> >
> >If this is sum for all includes and redirects found then no problem,
> all
> >clear
> >
> >
> >
> >-----Original Message-----
> >From: owner-spf-devel@v2.listbox.com
> >[mailto:owner-spf-devel@v2.listbox.com]
> >On Behalf Of spf2@kitterman.com
> >Sent: Thursday, March 31, 2005 12:06 PM
> >To: spf-devel@v2.listbox.com
> >Subject: RE: [spf-devel] Re: Logical problem
> >
> >>From
> http://www.ietf.org/internet-drafts/draft-schlitt-spf-classic-00.txt,
> >page 22, paragraph 6:
> >
> >"Unrecognized modifiers SHOULD be ignored no matter where in a record,
> nor
> >how often."
> >
> >Since mickey is unrecognized, it should not be counted.
> >
> >Scott Kitterman
> >
> >>-----Original Message-----
> >>From: owner-spf-devel@v2.listbox.com
> >>[mailto:owner-spf-devel@v2.listbox.com]On Behalf Of Dejan Petrovic
> >>Sent: Thursday, March 31, 2005 8:38 AM
> >>To: spf-devel@v2.listbox.com
> >>Subject: RE: [spf-devel] Re: Logical problem
> >>
> >>
> >>Confirm me do I understeand please :
> >>
> >>Evaluating example.com: "v=spf1 a a a a a mx mx include:example.org
> -all"
> >>Evaluating example.org: "v=spf1 a a ptr <STOP HERE AND RETURN
> >>NEUTRAL> a ptr
> >>-all"
> >>Because 7 in first and 3 in second are 10 ?
> >>
> >>Or better :
> >>Evaluating example.com: "v=spf1 a a a a a mx mx include:example.org
> -all"
> >>Evaluating example.org: "v=spf1 a mickey=mouse a <STOP HERE AND
> RETURN
> >>NEUTRAL> ptr a ptr -all"
> >>Because count also mickey ?
> >>
> >>
> >>-----Original Message-----
> >>From: owner-spf-devel@v2.listbox.com
> >>[mailto:owner-spf-devel@v2.listbox.com]
> >>On Behalf Of Frank Ellermann
> >>Sent: Thursday, March 31, 2005 4:45 AM
> >>To: spf-devel@v2.listbox.com
> >>Subject: [spf-devel] Re: Logical problem
> >>
> >>Dejan Petrovic wrote:
> >>
> >>> If I starting to pissOff someone don't worry
> >>
> >>No problem so far... ;-)
> >>
> >>> Main spf policy can have many includes, ok, I need to evaluate all
> of
> >>> them but :
> >>> - if second include have third include, 4,5,6 ... Khm,
> >>> this must be stopped, how in depth I need to go ?
> >>
> >>You count to ten, each "a", "mx", "include", "exists", "ptr"
> >>counted as "one DNS mechanism". Don't count "ip4" or ip6" or "all",
> >>they don't need additional DNS queries. And if your counter reaches
> 11
> >>throw PermError (illegal sender policy).
> >>
> >>> - same problem with redirect
> >>
> >>Same solution, count "redirect=" as "one DNS mechanism".
> >>Ok., it's a modifier and no mechanism, but you count it anyway.
> >>
> >>But don't count "exp=", you already have a result FAIL at this point,
> >>it would be stupid to replace it by a counter PermError.
> >>
> >>> I should stop it at 15-th redirect (and permError), I had to
> resolve
> >>> 15 domains and this should be ok
> >>
> >>The limit is 10. It's better if all implementations enforce the same
> >>limit, otherwise the same policy would sometimes work and sometimes
> get
> >>a PermError, that would be a mess. (In fact it _IS_ a mess at the
> >>moment, the limit 10 is rather new, old SPF implementations did
> >>whatever they liked...
> >>;-)
> >>
> >>> Main policy can have 10 includes (for example) Second include can
> >>> have 10 other includes 3rd include can have 10 new includes (I'm
> >>> already on 1000
> >>> resolvings)
> >>
> >>Yes, that's bad, therefore the hard limit is 10, not 1000.
> >>
> >>> Any idea ? How you all have handled it ?
> >>
> >>See Wayne's draft-schlitt-spf-classic-00. There was a lot of
> >>discussion (over on the spf-discuss list) in the last days how to
> make
> >>the hard 10 even harder, but the "rough consensus" was that it's good
> >>enough at the moment.
> >>Not nice but good enough.
> >>
> >>> IP4:123.123.123.123 IP4:32.32.32.32/28 IP4:123.123.123.123
> >>> <- twice 123.123.123.123
> >>> This should be ok or error ?
> >>
> >>Okay. You could also have "v=spf1 a a a a a a a a a a -all", 10 a
> >>mechanisms, but not "v=spf1 a a a a a a a a a a a -all".
> >>
> >>> Domain example.com
> >>> IP4:123.123.123.123 include:example:org
> >>> Domain: example.org
> >>> A IP4:123.123.123.123 <- again have same ip, but this one is in
> >>> include What to do ? This should be ok but ...
> >>
> >>Sure. It's a stupid or dubious SPF policy, but not invalid.
> >>And it's much better than "v=spf1 mickey=mouse" (also valid, result
> >>NEUTRAL, because "?all" is the default).
> >>
> >> Bye, Frank
> >>
> >>
> >>
> >>-------
> >>To unsubscribe, change your address, or temporarily deactivate your
> >>subscription, please go to
> >>http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com
> >>
> >>
> >>-------
> >>To unsubscribe, change your address, or temporarily deactivate your
> >>subscription, please go to
> >http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com
> >
> >-------
> >To unsubscribe, change your address, or temporarily deactivate your
> >subscription, please go to
> >http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com
> >
> >
> >-------
> >To unsubscribe, change your address, or temporarily deactivate
> >your subscription,
> >please go to
> >http://v2.listbox.com/member/?listname=spf->devel@v2.listbox.com
> >
>
> -------
> To unsubscribe, change your address, or temporarily deactivate your
> subscription,
> please go to
> http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com


-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

Dejan Petrovic wrote:

> Evaluating example.com:
> "v=spf1 a a a a a mx mx include:example.org -all"
> Evaluating example.org:
> "v=spf1 a a ptr <STOP HERE AND RETURN NEUTRAL> a ptr -all"
> Because 7 in first and 3 in second are 10 ?

a + a + a + a + a + mx + mx + include = 8.

a + a + ptr + a + ptr = 5. You get a PermError (not NEUTRAL)
at the first "ptr" in the example.org record. IIRC you're
supposed to check syntax a.s.a.p., therefore you could throw
PermError after you see that example.org has more than two
DNS mechanisms (10 - 8 = 2, so more than 2 must be invalid)

> Evaluating example.com:
> "v=spf1 a a a a a mx mx include:example.org -all"
> Evaluating example.org:
> "v=spf1 a mickey=mouse a <STOP HERE AND RETURN NEUTRAL>
> ptr a ptr -all"

> Because count also mickey ?

No, don't count mickey=, redirect= is so far the only counted
modifier, other modifiers like mickey= or exp= are not counted.

The problem in your second example is (again) the 11th DNS
mechanism, the first "ptr" for example.org (8 + 3 = 11), see
also Scott's replies.
Bye, Frank


-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com