Home | Sitemap | Recent Changes | Login

SPF Logo

Sender Policy Framework




The handling of invalid DNS labels (empty or longer than 63 bytes) is ambiguous in rfc4408. For <domain>, it explicitly says to treat domains with such labels as non-existent. I propose that SPFv3 make this explicit for mechanisms as well (treating invalid labels as if the domain got NXDOMAIN).


There was consensus with rfc4408 that "tempfail" was the wrong answer for invalid DNS labels (since the condition was unchanging). However, some people felt that "permerror" was a better treatment than no-match, because in many cases (especially empty label, i.e. ".."), it is likely a typo. Hence the current test suite allows both permerror and no-match.

However, an SPF record using macros may never generate an invalid label for valid mail, yet an attempted forgery may do so (perhaps due to using the %{H} macro). A "permerror" result would likely let the forgery through, whereas no-match would result in a "fail" result. Hence, "permerror" is not a good result, at least for invalid labels that result from macro expansion.


This could even be an errata for RFC4408.