2
1
In an SPF record, the -all option means “I am whitelisting just the machines/domains I am explicitly listing here, and no other servers can originate email for this domain.”
So what does it mean when one uses the include: option in an SPF record to include a second SPF record, and that secondary SPF record has -all? What is the effect of it being there?
Codeswitcher
Posted 2017-01-14T04:47:34.093
Reputation: 242
4
The include mechanism will trigger a recursive evaluation for the included record. If this evaluation fails (e.g. by a -all in the included record), the result of the include mechanism will be considered a "Not match". So in practice a -all mechanism (or any other mechanism with - qualifier) in an included SPF record does not have any effect on the evaluation of the primary record.
A full overview of how the include mechanism affects the evaluation of the primary record can be seen in the table in section 5.2 of RFC 7208 (https://tools.ietf.org/html/rfc7208#section-5.2)
Lars Lind Nilsson
Posted 2017-01-14T04:47:34.093
Reputation: 151
Ones again, there NO such term in SPF as a "secondary record" ! – Alex – 2017-01-14T18:02:13.080
"Secondary record" was the term used by OP, so I just answered using the same term. As I read the question, "secondary record" refers to the included SPF record. – Lars Lind Nilsson – 2017-01-15T12:20:06.320
Do not forget that bunch of lurkers may assume that it is Ok to use multiple SPF records in DNS. Included != secondary. – Alex – 2017-01-16T05:14:14.657
I have edited the answer to reduce the risk of terminology confusion. – Lars Lind Nilsson – 2017-01-16T11:11:07.513
Thanks for understanding. I dealing with such issues (secondary - multiple SPF records in DNS ) on daily basis that's why I trying to make accent on that – Alex – 2017-01-16T19:50:10.163
1
For an SPF check to pass, the sending IP address must pass at least one of the mechanisms. Include mechanisms test the incoming IP address using the included SPF record and 'return' the result.
Using your example:
a.example.com IN TXT "v=spf1 include:b.example.com +all"
b.example.com IN TXT "v=spf1 -all"
The included record will return fail, since it only contains a -all mechanism. However, the first record will pass because it has a +all mechanism.
Using a more detailed example:
a.example.com IN TXT "v=spf1 ip4:1.2.3.4 mx include:spf.example.org -all"
a.example.com IN MX 0 mailserver.example.com
mailserver.example.com IN A 1.2.3.5
spf.example.org IN TXT "v=spf1 ip4:4.3.0.0/16 -all"
I will write down the result of each mechanism in the same order they are specified in the record. So, the results will be formatted as such:
[ip4] [mx] [include] [-all][ip4] [-all]With the following sender addresses:
1.2.3.4
fail failpass fail fail failThe final result will be pass, since at least one check passed
1.2.3.5
fail failfail pass fail failThe final result will be pass, since at least one check passed
4.3.10.20
pass failfail fail pass failThe final result will be pass, since at least one check passed
TL;DR: The include mechanism is evaluated separately and the result passed back to the evaluation of the record that included it. Record evaluation fails if no mechanisms match. Since you ended your example with +all, it will always match and therefore pass.
cascer1
Posted 2017-01-14T04:47:34.093
Reputation: 1 762
0
The -all at the end is interpreted after any includes are handled.
Its purpose is to communicate how emails not sent through the listed resources should be treated.
-all means drop them as forgeries while ~all means they might still be legitimate and should be treated with more suspicion.
davidgo
Posted 2017-01-14T04:47:34.093
Reputation: 49 152
I think you wanted to say - "-all means that this outgoing server is authorized to send email and all other must be dropped as forgeries", otherwise one need to list almost the whole internet – Alex – 2017-01-14T17:54:25.703
That's what he said. "how emails not sent though the listed resources should be treated" – cascer1 – 2017-01-16T13:11:36.253
I have taken the liberty of adding a concrete example to clarify the question. It should help remove any perceived ambiguity. – Daniel B – 2017-01-16T12:08:04.217
@DanielB Except you changed the question to something other than what I asked. Reverting. – Codeswitcher – 2017-01-17T07:37:51.220
1I apologize, but I don’t see how the example is not exactly what you asked about. Examples help illustrate what you’re asking about. – Daniel B – 2017-01-17T08:04:47.357
@DanielB because he is "Codeswitcher" by name, what do you expect then? :) Codeswitcher, please don't see it as a asking for a fight again, it just a joke that usually helps to resolve even more complicated stuff. You asking interesting question but it lacks of information and correct terms. – Alex – 2017-01-18T02:43:38.817
1
Almost the same question with a very well explaining answer: SPF with -all includes directive with ~all?
– pabouk – 2018-09-05T08:22:09.337