0

Funny situation, and I'm not sure if this is my fault or Google's.

I have a domain, example.com, which has 2 subdomains: main.example.com, and spf.example.com. For main.example.com domain, my TXT record used to be defined as: v=spf1 redirect=example.com with relevant TXT for example.com defined.

For various reasons, I decided to create "main" TXT SPF for spf.example.com, and redirect there. Please note that SOA and NS exists only for example.com. I changed main.example.com TXT to read v=spf1 redirect=spf.example.com and Google (according to DMARC report) does not see the SPF record anymore. Yahoo and Microsoft do.

So I run a second test: created backup.example.com, sent a few email without TXT SPF defined, DMARC report from all of Yahoo, MS and Google reflects that there's no TXT SPF. Defined TXT as v=spf1 redirect=spf.example.com and bam, MS and Yahoo noticed that, while Google still did not.

Any explanation except for "Google mail software sucks"?

StanTastic
  • 810
  • 1
  • 7
  • 24

1 Answers1

1

As I understood it, the value in your redirect records looks as follows:

v=spf1 redirect=spf.example.com -

There are two problems that I immediately notice:

  • There is a qualifier (-) without any mechanism, ie the record appears to be syntactically incorrect.
  • redirect is used, but it's not the last entry in the record.

Both of these are problematic as the spec tries to ensure that the record should actually be understood before it's acted upon:

From the Record Evaluation section of the SPF spec (emphasis added):

The check_host() function parses and interprets the SPF record to find a result for the current test. The syntax of the record is validated first, and if there are any syntax errors anywhere in the record, check_host() returns immediately with the result "permerror", without further interpretation or evaluation.

From the redirect section of the SPF spec (emphasis added):

For clarity, any "redirect" modifier SHOULD appear as the very last term in a record. Any "redirect" modifier MUST be ignored if there is an "all" mechanism anywhere in the record.

Community
  • 1
Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90
  • Hi Håkan - sorry if this is not clear, but it's a hyphen (as here, before "sorry") in a sentence, not a part of actual record. Updated now. With that said, good points. Just not applicable to this case. – StanTastic May 12 '16 at 07:55