pypolicyd-spf

Permfail (void lookups>2) for domain with a lot of MX records

Asked by Maxim Britov

I have issue with mailfrom @gsf.ru
"Sender address rejected: Message rejected due to: SPF Permanent Error: Void lookup limit of 2 exceeded."

real spf is short:
$ dig txt +short gsf.ru
"v=spf1 a mx -all"

but mx return a lot of records:
dig mx +short gsf.ru
93 mxtom.gsf.ru.
190 azmx.gsf.ru.
95 mx2mskp.gsf.ru.
30 mxrt.gsf.ru.
25 mail.btl-s.ru.
20 mail.gsf.ru.
90 mx1mskp.gsf.ru.

pypolicyd-spf have only limit for "void lookups" == 2, but it seems same limit work for mx too. Seems this break rfc7208#section-4.6.4 "evaluation of each "MX" record MUST NOT result in querying more than 10 address records"

http://www.openspf.org/Why?s=mfrom;<email address hidden>;ip=95.167.0.180 said "It is impossible for us to say why it was rejected"

Any comments? Thanks
I will try to workaround with Void_Limit=10

Question information

Language:
English Edit question
Status:
Solved
For:
pypolicyd-spf Edit question
Assignee:
No assignee Edit question
Solved by:
Maxim Britov
Solved:
Last query:
Last reply:
Revision history for this message
Scott Kitterman (kitterman) said : 		#1

The system is working correctly. Here is what I found:

$ dig txt gsf.ru
gsf.ru. 21599 IN TXT "ydTBH64wF12tYmLrcGcqwMI4tZaNEyRXVWhx7RZi234VKrB3hSAMSZc0lyaFvxkZx8yK7rgTRqmhG7CN+2cqmA=="
gsf.ru. 21599 IN TXT "v=spf1 a mx -all"

$ dig a gsf.ru
gsf.ru. 21599 IN A 95.167.0.176
[Not a void lookup]

$ dig mx gsf.ru
gsf.ru. 21599 IN MX 30 mxrt.gsf.ru.
gsf.ru. 21599 IN MX 25 mail.btl-s.ru.
gsf.ru. 21599 IN MX 20 mail.gsf.ru.
gsf.ru. 21599 IN MX 190 azmx.gsf.ru.
gsf.ru. 21599 IN MX 93 mxtom.gsf.ru.
gsf.ru. 21599 IN MX 90 mx1mskp.gsf.ru.
gsf.ru. 21599 IN MX 95 mx2mskp.gsf.ru.
[Not a void lookup]

$ dig mxrt.gsf.ru
mxrt.gsf.ru. 21599 IN A 95.167.0.180
[Not a void lookup]

$ dig a mail.btl-s.ru
mail.btl-s.ru. 21599 IN A 95.167.0.180
[Not a void lookup]

$ dig a mail.gsf.ru
mail.gsf.ru. 21599 IN A 95.167.0.180
[Not a void lookup]

$ dig a azmx.gsf.ru
[Void lookup]

$ dig a mxtom.gsf.ru
mxtom.gsf.ru. 21599 IN A 91.103.214.186
[Not a void lookup]

$ dig a mx1mskp.gsf.ru
[Void lookup]

$ dig a mx2mskp.gsf.ru
[Void lookup]

Currently the record has 3 void lookups. This isn't specific to the MX record at all, it is caused by multiple DNS lookups with no valid target. The sender (if you can reach them) should either publish A records all the hosts listed in the MX record, drop the hosts from their MX record, or drop the 'mx' mechanism from the SPF record and use 'a' or 'ip4' to more directly specify the authorized hosts.

Revision history for this message
Maxim Britov (ungifted) said : 		#2

Reread #4.6.4. Heh... you are right. Thanks.

Revision history for this message
Maxim Britov (ungifted) said : 		#3

But 1st three lookups are "pass".
Yes, from RFC "The <ip> is compared to each returned IP address.",
but "If any address matches, the mechanism matches."

Why policyd-spf cannot stop checking on first positive/pass resolving?
My usual validation services do that. I checked two (both spf passed/valid):
1. http://www.openspf.org/Why?s=mfrom;<email address hidden>;ip=95.167.0.180
2. https://vamsoft.com/support/tools/spf-policy-tester

Revision history for this message
Scott Kitterman (kitterman) said : 		#4

From RFC 7208 4.6:

    "... if there are any syntax errors anywhere in the
   record, check_host() returns immediately with the result "permerror",
   without further interpretation or evaluation"

This is to promote consistency of result. The order of A records returned from the MX lookup is not guaranteed. It's possible a future lookup would return the first three 'void' results first. It's better to have consistent errors for everyone than to have it mysteriously work sometimes and not others.