[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Problems using dnswl for SPF

Hi Matthias and all,

SPF specs include an appendix which details how to avoid to break forwarding:
https://tools.ietf.org/html/rfc7208#appendix-D

I'm trying D.1:

   v=spf1 +ip4:my.ip.add.ress ?exists:%{ir}.list.dnswl.org -all

but sometimes it doesn't work well.


*Problem 1*
-----------

I heard from Google that they get errors evaluating "exists".  Instead of:

Host 102.1.64.64.list.dnswl.org not found: 3(NXDOMAIN)

They get:

> Host 102.1.64.64.list.dnswl.org not found: 5(REFUSED)
>
> and trying from my non-google server:
>
> Host 102.1.64.64.list.dnswl.org not found: 2(SERVFAIL)

Note that I issue a tiny number of messages, and my setup is not so common.
So, I don't think Google issues too many queries due to SPF evaluation.  Even
in that case, those errors are at odds with DNSWL specs:

   Special return code 127.0.0.255

   In cases where your nameserver issues more than 100’000 queries / 24
   hours, you may be blocked from further queries. The return code
   “127.0.0.255” indicates this situation.
                                      https://www.dnswl.org/?page_id=15

Any idea where do those errors originate?


*Problem 2*
-----------

Another problem is how can subscribers manage that situation.  When I need to
test my own SPF record, I end up querying list.dnswl.org, although I have a
local copy of it.  That's because the local copy has a different DNS name,
which is only valid in internal view.  Can this be fixed?

Setting up a local override of list.dnswl.org looks cumbersome.  It seems to be
simpler to instruct an SPF evaluator to map list.dnswl.org to a local copy, if
available, for the purpose of evaluating SPF records.  Any other suggestion,
anyone?

Ale
Follow-Ups:
Re: Problems using dnswl for SPFPatrick Domack <patrickdk@xxxxxxxxxxxxx>
Re: Problems using dnswl for SPFMatthias Leisi <matthias@xxxxxxxxx>