2RFC 7208, "Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1", April 2014
3Source of RFC: spfbis (app)
9Publication Format(s) : TEXT
10Reported By: David Garfield
11Date Reported: 2018-01-04
15 The <ip>'s name is looked up using this procedure:
17 o Perform a DNS reverse-mapping for <ip>: Look up the corresponding
18 PTR record in "in-addr.arpa." if the address is an IPv4 address
19 and in "ip6.arpa." if it is an IPv6 address.
21 o For each record returned, validate the domain name by looking up
22 its IP addresses. To prevent DoS attacks, the PTR processing
23 limits defined in Section 4.6.4 MUST be applied. If they are
24 exceeded, processing is terminated and the mechanism does not
27 o If <ip> is among the returned IP addresses, then that domain name
30 Check all validated domain names to see if they either match the
31 <target-name> domain or are a subdomain of the <target-name> domain.
32 If any do, this mechanism matches. If no validated domain name can
33 be found, or if none of the validated domain names match or are a
34 subdomain of the <target-name>, this mechanism fails to match. If a
35 DNS error occurs while doing the PTR RR lookup, then this mechanism
36 fails to match. If a DNS error occurs while doing an A RR lookup,
37 then that domain name is skipped and the search continues.
39 This mechanism matches if
41 o the <target-name> is a subdomain of a validated domain name, or
43 o the <target-name> and a validated domain name are the same.
45 For example, "mail.example.com" is within the domain "example.com",
46 but "mail.bad-example.com" is not.
50 The <ip>'s name is looked up using this procedure:
52 o Perform a DNS reverse-mapping for <ip>: Look up the corresponding
53 PTR record in "in-addr.arpa." if the address is an IPv4 address
54 and in "ip6.arpa." if it is an IPv6 address.
56 Check all domain names to see if they either match the
57 <target-name> domain or are a subdomain of the <target-name>
58 domain. If any do, this domain name can be validated. If no
59 domain name can be found, or if none of the domain names match or
60 are a subdomain of the <target-name>, this mechanism fails to
61 match. If a DNS error occurs while doing the PTR RR lookup, then
62 this mechanism fails to match.
64 This mechanism may match if
66 o the <target-name> is a subdomain of a domain name, or
68 o the <target-name> and a domain name are the same.
70 For example, "mail.example.com" is within the domain "example.com",
71 but "mail.bad-example.com" is not.
74 The domain names received must also be validated for the mechanism
77 o For each matched record, validate the domain name by looking up
78 its IP addresses. To prevent DoS attacks, the PTR processing
79 limits defined in Section 4.6.4 MUST be applied. If they are
80 exceeded, processing is terminated and the mechanism does not
83 o If <ip> is among the returned IP addresses, then that domain name
86 If a DNS error occurs while doing an A RR lookup, then that domain
87 name is skipped and the search continues.
90 The mechanism matches if a domain name is found that properly
91 matches the target name and can be properly validated. While these
92 tests can be done in either order, performing the match before
93 validating prevents needless DNS queries being performed.
98As specified, the RFC calls for all names to be validated, even those that can be immediately discarded because they do not match. The RFC should call for the local-only operation to be done first. While it may be argued that the RFC doesn't require the order, implementers shouldn't be misled.
100My corrected text probably needs editorial work.
102I have not fixed errata 4751 in my corrected text.