Discussion:
spf record checker
Roman Gelfand
2013-09-25 15:48:37 UTC
Permalink
I am including ipv4 subnet entries in my spf record. if email makes
serveral server hops before it's final destination, is it a correct
behavior of spf checker to check each hop's ip address or spf checker
should be only checking final from hop?

Thanks in advance
Tim Draegen
2013-09-25 16:07:34 UTC
Permalink
Hi Roman,

Only the last hop's IP address is checked.

Hth,


=- Tim
Post by Roman Gelfand
I am including ipv4 subnet entries in my spf record. if email makes
serveral server hops before it's final destination, is it a correct
behavior of spf checker to check each hop's ip address or spf checker
should be only checking final from hop?
Thanks in advance
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/20433905-a505b78c
Modify Your Subscription: https://www.listbox.com/member/?&
Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20130925114848:F3A5379E-25F9-11E3-9F78-9D785B1D7A34
Powered by Listbox: http://www.listbox.com
alan
2013-09-25 17:58:07 UTC
Permalink
Post by Tim Draegen
Hi Roman,
Only the last hop's IP address is checked.
what he said ;)
any all internal-to-sender hops are irrelevant and usually RFC1918 addresses anyway

only the ip(s) that connect to receivers edge servers are checked (during the connection to the edge servers usually)
and the checks are done before the email is even sent/received so none of the other hops can possibly be known about (as their are no headers yet sent to read)

and equally the receivers internal hops equally are ignored

mail conversation (yes there is more to it than this in some cases startls for example but in general this is all there is to it from an spf standpoint)

connection received from ww.xx.yy.zz
(at this point ip based blacklists can be checked **)
helo recieving.server.name [sent]
helo/ehlo sending.server.name [recieved]
2xx OK [Sent]
(at this point the receiving server can/should spf check ***@sending.server.name **)
mail from: <***@their.domain> [recieved]
2xx OK [sent]
(at this point the receiving server can/should spf check ***@their.domain **)
rcpt to: <***@recievers-.domain> [recieved]
response is either
5xx (the reason why you do not want the email due to blacklisting/either spf failure/any other local policy issue)
4xx (come back later due to greylisting mailbox full whatever)
2xx OK (if all checks non-fatal failure)

**it must cache the result as no reject for any reason will be understood till after RCPT

so as you can see at the point the spf test is done only the senders ip and the domain being checked are known to the server
Post by Tim Draegen
Hth,
=- Tim
Post by Roman Gelfand
I am including ipv4 subnet entries in my spf record. if email makes
serveral server hops before it's final destination, is it a correct
behavior of spf checker to check each hop's ip address or spf checker
should be only checking final from hop?
Thanks in advance
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/20433905-a505b78c
Modify Your Subscription: https://www.listbox.com/member/?&
Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20130925114848:F3A5379E-25F9-11E3-9F78-9D785B1D7A34
Powered by Listbox: http://www.listbox.com
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/13124949-ec5a0568
Modify Your Subscription: https://www.listbox.com/member/?&
Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20130925120744:9A71E12E-25FC-11E3-8F23-D7419C1E9369
Powered by Listbox: http://www.listbox.com
Tim Draegen
2013-09-25 18:11:02 UTC
Permalink
To beat this thing dead, it's also possible to spoof the IPs that show up in headers. Checking those would be problematic.

The actual IP of the incoming connection is checked as it is a lot more difficult to fake it.

=- Tim
Post by alan
Post by Tim Draegen
Hi Roman,
Only the last hop's IP address is checked.
what he said ;)
any all internal-to-sender hops are irrelevant and usually RFC1918 addresses anyway
only the ip(s) that connect to receivers edge servers are checked (during the connection to the edge servers usually)
and the checks are done before the email is even sent/received so none of the other hops can possibly be known about (as their are no headers yet sent to read)
and equally the receivers internal hops equally are ignored
mail conversation (yes there is more to it than this in some cases startls for example but in general this is all there is to it from an spf standpoint)
connection received from ww.xx.yy.zz
(at this point ip based blacklists can be checked **)
helo recieving.server.name [sent]
helo/ehlo sending.server.name [recieved]
2xx OK [Sent]
2xx OK [sent]
response is either
5xx (the reason why you do not want the email due to blacklisting/either spf failure/any other local policy issue)
4xx (come back later due to greylisting mailbox full whatever)
2xx OK (if all checks non-fatal failure)
**it must cache the result as no reject for any reason will be understood till after RCPT
so as you can see at the point the spf test is done only the senders ip and the domain being checked are known to the server
Post by Tim Draegen
Hth,
=- Tim
Post by Roman Gelfand
I am including ipv4 subnet entries in my spf record. if email makes
serveral server hops before it's final destination, is it a correct
behavior of spf checker to check each hop's ip address or spf checker
should be only checking final from hop?
Thanks in advance
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/20433905-a505b78c
Modify Your Subscription: https://www.listbox.com/member/?&
Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20130925114848:F3A5379E-25F9-11E3-9F78-9D785B1D7A34
Powered by Listbox: http://www.listbox.com
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/13124949-ec5a0568
Modify Your Subscription: https://www.listbox.com/member/?&
Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20130925120744:9A71E12E-25FC-11E3-8F23-D7419C1E9369
Powered by Listbox: http://www.listbox.com
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/20433905-a505b78c
Modify Your Subscription: https://www.listbox.com/member/?&
Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20130925135830:1284BA88-260C-11E3-B31F-F40B53C51272
Powered by Listbox: http://www.listbox.com
Loading...