Does smartermail strictly enforce SPF processing limits as defined in RFC 4408?
Idea shared by CCC - October 30, 2014 at 9:28 AM
Under Consideration
SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier. If this number is exceeded during a check, a PermError MUST be returned.
Does Smartermail enforce this?
 
If so does it log a specific error when SPF fails with a PermError due to excessive SPF recursion (as opposed to just logging an SPF failure)?
 
MTAs or other processors MAY also impose a limit on the maximum amount of elapsed time to evaluate check_host(). Such a limit SHOULD allow at least 20 seconds. If such a limit is exceeded, the result of authorization SHOULD be "TempError".
Does Smartermail impose this limit? 
 
If so, is it configurable?
 

 

9 Replies

Reply to Thread
1
Thanks for raising this question, CCC.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
1
Robert Emmett Replied
Employee Post
SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier. If this number is exceeded during a check, a PermError MUST be returned.
 
Does Smartermail enforce this?
 
If so does it log a specific error when SPF fails with a PermError due to excessive SPF recursion (as opposed to just logging an SPF failure)?
 
SmarterMail does enforce the DNS lookup limit.  We currently do not log the specific error but simply the SPF failure.
 
MTAs or other processors MAY also impose a limit on the maximum amount of elapsed time to evaluate check_host(). Such a limit SHOULD allow at least 20 seconds. If such a limit is exceeded, the result of authorization SHOULD be "TempError".
 
Does Smartermail impose this limit? 
 
If so, is it configurable?
 
SmarterMail does not impose a maximum elapsed time limit on the checks.
 
Robert Emmett
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Looking for any updates on this as well. Ran into this today with a domain that is falling into this bucket.
 
 
SmarterMail is showing a perm error on this spf record:
 
v=spf1 include:_spf-a.domain.com include:_spf-b.domain.com
 
Note the missing "all" at the end. Every spf tool passes this record but SM is setting this to permfail. I'd like to know why it is perm failing.
1
Any updates on this or "still under consideration"?
1
It appears that a few other people are looking for some logging when SPF lookups fail due to the number of entries.  This appears to still be under consideration. 
 
I'm bumping the thread in hopes that others may chime in so that this may get some traction.  
3
I will bump this thread as well. Now since we implemented stricter policies on our SM install I am starting to see SPF failure messages in our logs. When I look up the SPF policy via MXToolbox the policy passes for said domain. My only work around for now is to change the scoring in my SPF check to a lower number. I had it set to 30 for Fail and also uncheck the option for Enable for SMTP blocking. That way I can be sure no other legitimate email gets blocked. I have seen a bunch of listings especially in the past 2 weeks since setting up our policies and most of them were indeed garbage domains. I did use Bruce's document as our guideline and appreciate the work Bruce put into the document for all of us. It was a big help in getting things configured properly.
 
Anyways, the log just shows _SPF(Fail) but gives no other reason why. We are running SM Version 14.5.5907 enterprise. Is this addressed in a newer build? Or is this something that is still a work in progress? I see this was brought up 2 years ago but haven't seen an update on this.
2
Checking this again. Still having this issue where SM thinks there is a spf perm error but it validates using every other tool we try. Can we get some additionally logging options on spf failures to see why they are failing?
1
Just to add to this again, the SPF perm errors that I saw in our log, I got a custom build from SM that had extra logging. What I found was the domains that failed had several SPF records specified and they were from different providers. So in turn  SM labelled them as perm errors. I did discuss with the dev team that logging like this really should be in SM permanently so as a server administrator we can troubleshoot issues like this. The dev did discuss this with management and it was placed on the feature board but no time frame was placed on this being implemented.
2
Larry Duran Replied
Employee Post
Adding spam check logging is something we have scheduled for a future 16 minor release, probably a 16.1 minor.  Initially it will contain logging for SPF checks, since a lot of debug logging we provide is for SPF checks, but it will grow to cover other spam checks when needed.
 
So keep an eye out for our next minor release and check the release notes.
Larry Duran
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com

Reply to Thread