DNS lookup limit being hit too early during SPF verification

[titussanchez]

Hi,

I ran across this domain recently: linbit.com.

Running an SPF verification on this domain with a valid sending IP, 209.85.217.50, results in a permerror. However, other SPF testers like MXtoolbox and the EasyDMARC SPF checker both result in an SPF pass for the domain and the corresponding sending IP.

Looking at the EasyDMARC analysis of lookups I think the reason for the lookup limit difference is that the mail-auth library increments the lookup count for each entry in the MX record whereas the EasyDMARC test doesn't add any additional lookups when it resolves each entry in the MX record.

mail-auth/src/spf/verify.rs

Lines 186 to 191 in 2ae73db

	for exchange in records.iter().flat_map(|mx| mx.exchanges.iter()) {
	if !lookup_limit.can_lookup() {
	return output
	.with_result(SpfResult::PermError)
	.with_report(&spf_record);
	}

I also looked at how a Python SPF library handles counting the lookups [1] and it also looks like they do not count the lookup for each entry in the MX record either. Instead, there is a separate limit for the MX record specifically that will result in a permerror if there are more than 10 entries in the MX record. This limit is from RFC 7208 section 4.6.4.

@mdecimus Are you open to a pull request where I remove the incrementing of lookups for each entry in the MX record and instead return a permerror if there are more than 10 entries in the MX record?

[1] https://github.com/sdgathman/pyspf/blob/0b985f9692d7ae305774913e67ed639240e237e7/spf.py#L956-L958

[titussanchez]

I also just noticed that there might be an off-by-one error in the testing for the maximum number of DNS lookups allowed. Having exactly 10 lookups should not result in a permerror.

mail-auth/resources/spf/basic.yml

Line 88 in 2ae73db

spf: err.test.org v=spf1 a:t1.org a:t2.org a:t3.org a:t4.org a:t5.org a:t6.org a:t7.org a:t8.org a:t9.org a:t10.org ~all

mail-auth/resources/spf/basic.yml

Lines 112 to 115 in 2ae73db

	- domain: err.test.org
	sender: [email protected]
	ip: 172.168.0.1
	expect: permerror

[mdecimus]

Looking at the EasyDMARC analysis of lookups I think the reason for the lookup limit difference is that the mail-auth library increments the lookup count for each entry in the MX record whereas the EasyDMARC test doesn't add any additional lookups when it resolves each entry in the MX record.

Thanks for reporting this, I needed to make a few changes so I fixed it directly. Please check it out and let me know.

I also just noticed that there might be an off-by-one error in the testing for the maximum number of DNS lookups allowed.

The lookup count starts at 1 to include the initial DNS lookup to obtain the SPF record. I need to re-read the RFC to check if this is correct or not.

[titussanchez]

Looks good to me. Thanks!

My reading of the RFC was that the initial lookup didn't count toward the limit of 10.

I created some test domains with SPF records to see how others were handling this:

ninespf.titussanchez.com
tenspf.titussanchez.com
elevenspf.titussanchez.com

MX Toolbox was fine with the 10 lookups in the tenspf.titussanchez.com
EasyDMARC was also fine with 10 lookups in tenspf.titussanchez.com
The mail-auth library currently throws a permerror for tenspf.titussanchez.com

[titussanchez]

@mdecimus, wondering if you saw my comment about the lookup limit here

[mdecimus]

Saw it but then got buried in other issues. Just fixed it and published version 0.5.0.