/[project]/test-suite/rfc4408-tests-2007.01.yml

Contents of /test-suite/rfc4408-tests-2007.01.yml

Parent Directory Parent Directory | Revision Log Revision Log


Revision 74 - (show annotations)
Sun Jan 14 05:22:51 2007 UTC (10 years, 4 months ago) by Stuart Gathman
File MIME type: text/yaml
File size: 53512 byte(s)
Summarize changes.
1 # This is the openspf.org test suite (version 2007.01) based on RFC 4408.
2 # $Id$
3 # vim:sw=2 sts=2
4 #
5 # Changes:
6 # There was a bug in 2006.11 that caused TXT ONLY implementations to fail.
7 # Added additional exp= and redirect= tests.
8 #
9 # Contributors:
10 # Stuart D Gathman everything so far
11 # Julian Mehnle proofread YAML syntax, spelling, formal schema
12 # Informal contributors (suggestions but no code):
13 # Craig Whitmore
14 # Frank Ellermann
15 # Wayne Schlitt
16 # Scott Kitterman
17 # Norman Maurer
18 # Mark Shewmaker
19 #
20 ---
21 description: Initial processing
22 tests:
23 toolonglabel:
24 description: >-
25 DNS labels limited to 63 chars.
26 comment: >-
27 For initial processing, a long label results in None, not TempError
28 spec: 4.3/1
29 helo: mail.example.net
30 host: 1.2.3.5
31 mailfrom: lyme.eater@A123456789012345678901234567890123456789012345678901234567890123.example.com
32 result: none
33 longlabel:
34 description: >-
35 DNS labels limited to 63 chars.
36 spec: 4.3/1
37 helo: mail.example.net
38 host: 1.2.3.5
39 mailfrom: lyme.eater@A12345678901234567890123456789012345678901234567890123456789012.example.com
40 result: fail
41 emptylabel:
42 spec: 4.3/1
43 helo: mail.example.net
44 host: 1.2.3.5
45 mailfrom: lyme.eater@A...example.com
46 result: none
47 nolocalpart:
48 spec: 4.3/2
49 helo: mail.example.net
50 host: 1.2.3.4
51 mailfrom: '@example.net'
52 result: fail
53 explanation: postmaster
54 zonedata:
55 example.com:
56 - TIMEOUT
57 example.net:
58 - SPF: v=spf1 -all exp=exp.example.net
59 a.example.net:
60 - SPF: v=spf1 -all exp=exp.example.net
61 exp.example.net:
62 - TXT: '%{l}'
63 a12345678901234567890123456789012345678901234567890123456789012.example.com:
64 - SPF: v=spf1 -all
65 ---
66 description: Record lookup
67 tests:
68 both:
69 spec: 4.4/1
70 helo: mail.example.net
71 host: 1.2.3.4
72 mailfrom: foo@both.example.net
73 result: fail
74 txtonly:
75 description: Result is none if checking SPF records only.
76 spec: 4.4/1
77 helo: mail.example.net
78 host: 1.2.3.4
79 mailfrom: foo@txtonly.example.net
80 result: [fail, none]
81 spfonly:
82 description: Result is none if checking TXT records only.
83 spec: 4.4/1
84 helo: mail.example.net
85 host: 1.2.3.4
86 mailfrom: foo@spfonly.example.net
87 result: [fail, none]
88 spftimeout:
89 description: >-
90 TXT record present, but SPF lookup times out.
91 Result is temperror if checking SPF records only.
92 comment: >-
93 This actually happens for a popular braindead DNS server.
94 spec: 4.4/1
95 helo: mail.example.net
96 host: 1.2.3.4
97 mailfrom: foo@spftimeout.example.net
98 result: [fail, temperror]
99 txttimeout:
100 description: >-
101 SPF record present, but TXT lookup times out.
102 If only TXT records are checked, result is temperror.
103 spec: 4.4/1
104 helo: mail.example.net
105 host: 1.2.3.4
106 mailfrom: foo@txttimeout.example.net
107 result: [fail, temperror]
108 nospftxttimeout:
109 description: >-
110 No SPF record present, and TXT lookup times out.
111 If only TXT records are checked, result is temperror.
112 comment: >-
113 Because TXT records is where v=spf1 records will likely be, returning
114 temperror will try again later. A timeout due to a braindead server
115 is unlikely in the case of TXT, as opposed to the newer SPF RR.
116 spec: 4.4/1
117 helo: mail.example.net
118 host: 1.2.3.4
119 mailfrom: foo@nospftxttimeout.example.net
120 result: [temperror, none]
121 alltimeout:
122 description: Both TXT and SPF queries time out
123 spec: 4.4/2
124 helo: mail.example.net
125 host: 1.2.3.4
126 mailfrom: foo@alltimeout.example.net
127 result: temperror
128 zonedata:
129 both.example.net:
130 - TXT: v=spf1 -all
131 - SPF: v=spf1 -all
132 txtonly.example.net:
133 - TXT: v=spf1 -all
134 spfonly.example.net:
135 - SPF: v=spf1 -all
136 - TXT: NONE
137 spftimeout.example.net:
138 - TXT: v=spf1 -all
139 - TIMEOUT
140 txttimeout.example.net:
141 - SPF: v=spf1 -all
142 - TXT: NONE
143 - TIMEOUT
144 nospftxttimeout.example.net:
145 - SPF: "v=spf3 !a:yahoo.com -all"
146 - TXT: NONE
147 - TIMEOUT
148 alltimeout.example.net:
149 - TIMEOUT
150 ---
151 description: Selecting records
152 tests:
153 nospace1:
154 description: >-
155 Version must be terminated by space or end of record. TXT pieces
156 are joined without intervening spaces.
157 spec: 4.5/4
158 helo: mail.example1.com
159 host: 1.2.3.4
160 mailfrom: foo@example2.com
161 result: none
162 empty:
163 description: Empty SPF record.
164 spec: 4.5/4
165 helo: mail1.example1.com
166 host: 1.2.3.4
167 mailfrom: foo@example1.com
168 result: neutral
169 nospace2:
170 spec: 4.5/4
171 helo: mail.example1.com
172 host: 1.2.3.4
173 mailfrom: foo@example3.com
174 result: pass
175 spfoverride:
176 description: >-
177 SPF records override TXT records. Older implementation may
178 check TXT records only.
179 spec: 4.5/5
180 helo: mail.example1.com
181 host: 1.2.3.4
182 mailfrom: foo@example4.com
183 result: [pass, fail]
184 multitxt1:
185 description: >-
186 Older implementations will give permerror/unknown because of
187 the conflicting TXT records. However, RFC 4408 says the SPF
188 records overrides them.
189 spec: 4.5/5
190 helo: mail.example1.com
191 host: 1.2.3.4
192 mailfrom: foo@example5.com
193 result: [pass, permerror]
194 multitxt2:
195 description: >-
196 Multiple records is a permerror, v=spf1 is case insensitive
197 spec: 4.5/6
198 helo: mail.example1.com
199 host: 1.2.3.4
200 mailfrom: foo@example6.com
201 result: permerror
202 multispf1:
203 description: >-
204 Multiple records is a permerror, even when they are identical.
205 spec: 4.5/6
206 helo: mail.example1.com
207 host: 1.2.3.4
208 mailfrom: foo@example7.com
209 result: permerror
210 multispf2:
211 description: >-
212 Older implementations will give pass because there is a single
213 TXT record. But RFC 4408 requires permerror because the SPF
214 records override and there are more than one.
215 spec: 4.5/6
216 helo: mail.example1.com
217 host: 1.2.3.4
218 mailfrom: foo@example8.com
219 result: [permerror, pass]
220 nospf:
221 spec: 4.5/7
222 helo: mail.example1.com
223 host: 1.2.3.4
224 mailfrom: foo@mail.example1.com
225 result: none
226 case-insensitive:
227 description: >-
228 v=spf1 is case insensitive
229 spec: 4.5/6
230 helo: mail.example1.com
231 host: 1.2.3.4
232 mailfrom: foo@example9.com
233 result: softfail
234 zonedata:
235 example3.com:
236 - SPF: v=spf10
237 - SPF: v=spf1 mx
238 - MX: [0, mail.example1.com]
239 example1.com:
240 - SPF: v=spf1
241 example2.com:
242 - SPF: [ 'v=spf1', 'mx' ]
243 mail.example1.com:
244 - A: 1.2.3.4
245 example4.com:
246 - SPF: v=spf1 +all
247 - TXT: v=spf1 -all
248 example5.com:
249 - SPF: v=spf1 +all
250 - TXT: v=spf1 -all
251 - TXT: v=spf1 +all
252 example6.com:
253 - TXT: v=spf1 -all
254 - TXT: V=sPf1 +all
255 example7.com:
256 - SPF: v=spf1 -all
257 - SPF: v=spf1 -all
258 example8.com:
259 - SPF: v=spf1 -all
260 - SPF: v=spf1 -all
261 - TXT: v=spf1 +all
262 example9.com:
263 - SPF: v=SpF1 ~all
264 ---
265 description: Record evaluation
266 tests:
267 detect-errors-anywhere:
268 description: Any syntax errors anywhere in the record MUST be detected.
269 spec: 4.6
270 helo: mail.example.com
271 host: 1.2.3.4
272 mailfrom: foo@t1.example.com
273 result: permerror
274 modifier-charset-good:
275 description: name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." )
276 spec: 4.6.1/2
277 helo: mail.example.com
278 host: 1.2.3.4
279 mailfrom: foo@t2.example.com
280 result: pass
281 modifier-charset-bad1:
282 description: >-
283 '=' character immediately after the name and before any ":" or "/"
284 spec: 4.6.1/4
285 helo: mail.example.com
286 host: 1.2.3.4
287 mailfrom: foo@t3.example.com
288 result: permerror
289 modifier-charset-bad2:
290 description: >-
291 '=' character immediately after the name and before any ":" or "/"
292 spec: 4.6.1/4
293 helo: mail.example.com
294 host: 1.2.3.4
295 mailfrom: foo@t4.example.com
296 result: permerror
297 redirect-after-mechanisms1:
298 description: >-
299 The "redirect" modifier has an effect after all the mechanisms.
300 comment: >-
301 The redirect in this example would violate processing limits, except
302 that it is never used because of the all mechanism.
303 spec: 4.6.3
304 helo: mail.example.com
305 host: 1.2.3.4
306 mailfrom: foo@t5.example.com
307 result: softfail
308 redirect-after-mechanisms2:
309 description: >-
310 The "redirect" modifier has an effect after all the mechanisms.
311 spec: 4.6.3
312 helo: mail.example.com
313 host: 1.2.3.5
314 mailfrom: foo@t6.example.com
315 result: fail
316 default-result:
317 description: Default result is neutral.
318 spec: 4.7/1
319 helo: mail.example.com
320 host: 1.2.3.5
321 mailfrom: foo@t7.example.com
322 result: neutral
323 redirect-is-modifier:
324 description: |-
325 Invalid mechanism. Redirect is a modifier.
326 spec: 4.6.1/4
327 helo: mail.example.com
328 host: 1.2.3.4
329 mailfrom: foo@t8.example.com
330 result: permerror
331 invalid-domain:
332 description: >-
333 Domain-spec must end in macro-expand or valid toplabel.
334 spec: 8.1/2
335 helo: mail.example.com
336 host: 1.2.3.4
337 mailfrom: foo@t9.example.com
338 result: permerror
339 invalid-domain-empty-label:
340 description: >-
341 Domain-spec must end in macro-expand or valid toplabel.
342 comment: >-
343 But anything goes before the toplabel. Empty labels cannot be
344 encoded for sending to a name server, so resolver must give error
345 or empty result. Empty result is analogous to 4.3/1, and so
346 is preferred.
347 spec: [8.1/2, 5/10]
348 helo: mail.example.com
349 host: 1.2.3.4
350 mailfrom: foo@t10.example.com
351 result: [ fail, temperror ]
352 invalid-domain-long:
353 description: >-
354 Domain-spec must end in macro-expand or valid toplabel.
355 comment: >-
356 But anything goes before the toplabel. Upper case H macro
357 url escapes the HELO string, the result is longer than 63 chars.
358 Long labels cannot be coded in a DNS query packet, so resolver must
359 give error or empty result. Empty result is analogous to 4.3/1,
360 and so is preferred.
361 spec: [8.1/2, 5/10]
362 helo: "%%%%%%%%%%%%%%%%%%%%%%"
363 host: 1.2.3.4
364 mailfrom: foo@t11.example.com
365 result: [ fail, temperror ]
366 zonedata:
367 mail.example.com:
368 - A: 1.2.3.4
369 t1.example.com:
370 - SPF: v=spf1 ip4:1.2.3.4 -all moo
371 t2.example.com:
372 - SPF: v=spf1 moo.cow-far_out=man:dog/cat ip4:1.2.3.4 -all
373 t3.example.com:
374 - SPF: v=spf1 moo.cow/far_out=man:dog/cat ip4:1.2.3.4 -all
375 t4.example.com:
376 - SPF: v=spf1 moo.cow:far_out=man:dog/cat ip4:1.2.3.4 -all
377 t5.example.com:
378 - SPF: v=spf1 redirect=t5.example.com ~all
379 t6.example.com:
380 - SPF: v=spf1 ip4:1.2.3.4 redirect=t2.example.com
381 t7.example.com:
382 - SPF: v=spf1 ip4:1.2.3.4
383 t8.example.com:
384 - SPF: v=spf1 ip4:1.2.3.4 redirect:t2.example.com
385 t9.example.com:
386 - SPF: v=spf1 a:foo-bar -all
387 t10.example.com:
388 - SPF: v=spf1 a:mail.example...com -all
389 t11.example.com:
390 - SPF: v=spf1 a:%{H}.bar -all
391 ---
392 description: ALL mechanism syntax
393 tests:
394 all-dot:
395 description: |
396 all = "all"
397 comment: |-
398 At least one implementation got this wrong
399 spec: 5.1/1
400 helo: mail.example.com
401 host: 1.2.3.4
402 mailfrom: foo@e1.example.com
403 result: permerror
404 all-arg:
405 description: |
406 all = "all"
407 comment: |-
408 At least one implementation got this wrong
409 spec: 5.1/1
410 helo: mail.example.com
411 host: 1.2.3.4
412 mailfrom: foo@e2.example.com
413 result: permerror
414 all-cidr:
415 description: |
416 all = "all"
417 spec: 5.1/1
418 helo: mail.example.com
419 host: 1.2.3.4
420 mailfrom: foo@e3.example.com
421 result: permerror
422 all-neutral:
423 description: |
424 all = "all"
425 spec: 5.1/1
426 helo: mail.example.com
427 host: 1.2.3.4
428 mailfrom: foo@e4.example.com
429 result: neutral
430 all-double:
431 description: |
432 all = "all"
433 spec: 5.1/1
434 helo: mail.example.com
435 host: 1.2.3.4
436 mailfrom: foo@e5.example.com
437 result: pass
438 zonedata:
439 mail.example.com:
440 - A: 1.2.3.4
441 e1.example.com:
442 - SPF: v=spf1 -all.
443 e2.example.com:
444 - SPF: v=spf1 -all:foobar
445 e3.example.com:
446 - SPF: v=spf1 -all/8
447 e4.example.com:
448 - SPF: v=spf1 ?all
449 e5.example.com:
450 - SPF: v=spf1 all -all
451 ---
452 description: PTR mechanism syntax
453 tests:
454 ptr-cidr:
455 description: |-
456 PTR = "ptr" [ ":" domain-spec ]
457 spec: 5.5/2
458 helo: mail.example.com
459 host: 1.2.3.4
460 mailfrom: foo@e1.example.com
461 result: permerror
462 ptr-match-target:
463 description: >-
464 Check all validated domain names to see if they end in the <target-name>
465 domain.
466 spec: 5.5/5
467 helo: mail.example.com
468 host: 1.2.3.4
469 mailfrom: foo@e2.example.com
470 result: pass
471 ptr-match-implicit:
472 description: >-
473 Check all validated domain names to see if they end in the <target-name>
474 domain.
475 spec: 5.5/5
476 helo: mail.example.com
477 host: 1.2.3.4
478 mailfrom: foo@e3.example.com
479 result: pass
480 ptr-nomatch-invalid:
481 description: >-
482 Check all validated domain names to see if they end in the <target-name>
483 domain.
484 comment: >-
485 This PTR record does not validate
486 spec: 5.5/5
487 helo: mail.example.com
488 host: 1.2.3.4
489 mailfrom: foo@e4.example.com
490 result: fail
491 ptr-match-ip6:
492 description: >-
493 Check all validated domain names to see if they end in the <target-name>
494 domain.
495 spec: 5.5/5
496 helo: mail.example.com
497 host: CAFE:BABE::1
498 mailfrom: foo@e3.example.com
499 result: pass
500 zonedata:
501 mail.example.com:
502 - A: 1.2.3.4
503 e1.example.com:
504 - SPF: v=spf1 ptr/0 -all
505 e2.example.com:
506 - SPF: v=spf1 ptr:example.com -all
507 4.3.2.1.in-addr.arpa:
508 - PTR: e3.example.com
509 - PTR: e4.example.com
510 - PTR: mail.example.com
511 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.E.B.A.B.E.F.A.C.ip6.arpa:
512 - PTR: e3.example.com
513 e3.example.com:
514 - SPF: v=spf1 ptr -all
515 - A: 1.2.3.4
516 - AAAA: CAFE:BABE::1
517 e4.example.com:
518 - SPF: v=spf1 ptr -all
519 ---
520 description: A mechanism syntax
521 tests:
522 a-cidr6:
523 description: |
524 A = "a" [ ":" domain-spec ] [ dual-cidr-length ]
525 dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ]
526 spec: 5.3/2
527 helo: mail.example.com
528 host: 1.2.3.4
529 mailfrom: foo@e6.example.com
530 result: fail
531 a-bad-cidr4:
532 description: |
533 A = "a" [ ":" domain-spec ] [ dual-cidr-length ]
534 dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ]
535 spec: 5.3/2
536 helo: mail.example.com
537 host: 1.2.3.4
538 mailfrom: foo@e6a.example.com
539 result: permerror
540 a-bad-cidr6:
541 description: |
542 A = "a" [ ":" domain-spec ] [ dual-cidr-length ]
543 dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ]
544 spec: 5.3/2
545 helo: mail.example.com
546 host: 1.2.3.4
547 mailfrom: foo@e7.example.com
548 result: permerror
549 a-multi-ip1:
550 description: >-
551 A matches any returned IP.
552 spec: 5.3/3
553 helo: mail.example.com
554 host: 1.2.3.4
555 mailfrom: foo@e10.example.com
556 result: pass
557 a-multi-ip2:
558 description: >-
559 A matches any returned IP.
560 spec: 5.3/3
561 helo: mail.example.com
562 host: 1.2.3.4
563 mailfrom: foo@e10.example.com
564 result: pass
565 a-bad-domain:
566 description: >-
567 domain-spec must pass basic syntax checks,
568 comment: >-
569 A ':' may appear in domain-spec, but not in top-label.
570 spec: 8.1/2
571 helo: mail.example.com
572 host: 1.2.3.4
573 mailfrom: foo@e9.example.com
574 result: permerror
575 a-nxdomain:
576 description: >-
577 If no ips are returned, A mechanism does not match, even with /0.
578 spec: 5.3/3
579 helo: mail.example.com
580 host: 1.2.3.4
581 mailfrom: foo@e1.example.com
582 result: fail
583 a-cidr4-0:
584 description: >-
585 Matches if any A records are present in DNS.
586 spec: 5.3/3
587 helo: mail.example.com
588 host: 1.2.3.4
589 mailfrom: foo@e2.example.com
590 result: pass
591 a-cidr4-0-ip6:
592 description: >-
593 Matches if any A records are present in DNS.
594 spec: 5.3/3
595 helo: mail.example.com
596 host: 1234::1
597 mailfrom: foo@e2.example.com
598 result: fail
599 a-cidr6-0-ip4:
600 description: >-
601 Would match if any AAAA records are present in DNS,
602 but not for an IP4 connection.
603 spec: 5.3/3
604 helo: mail.example.com
605 host: 1.2.3.4
606 mailfrom: foo@e2a.example.com
607 result: fail
608 a-cidr6-0-ip4mapped:
609 description: >-
610 Would match if any AAAA records are present in DNS,
611 but not for an IP4 connection.
612 spec: 5.3/3
613 helo: mail.example.com
614 host: ::FFFF:1.2.3.4
615 mailfrom: foo@e2a.example.com
616 result: fail
617 a-cidr6-0-ip6:
618 description: >-
619 Matches if any AAAA records are present in DNS.
620 spec: 5.3/3
621 helo: mail.example.com
622 host: 1234::1
623 mailfrom: foo@e2a.example.com
624 result: pass
625 a-cidr6-0-nxdomain:
626 description: >-
627 No match if no AAAA records are present in DNS.
628 spec: 5.3/3
629 helo: mail.example.com
630 host: 1234::1
631 mailfrom: foo@e2b.example.com
632 result: fail
633 a-null:
634 description: >-
635 Null not allowed in top-label.
636 spec: 8.1/2
637 helo: mail.example.com
638 host: 1.2.3.5
639 mailfrom: foo@e3.example.com
640 result: permerror
641 a-numeric:
642 description: >-
643 Top-label may not be all numeric
644 comment: >-
645 A common publishing mistake is using ip4 addresses with A mechanism.
646 This should receive special diagnostic attention in the permerror.
647 spec: 8.1/2
648 helo: mail.example.com
649 host: 1.2.3.4
650 mailfrom: foo@e4.example.com
651 result: permerror
652 a-numeric-top-label:
653 description: >-
654 Top-label may not be all numeric
655 spec: 8.1/2
656 helo: mail.example.com
657 host: 1.2.3.4
658 mailfrom: foo@e5.example.com
659 result: permerror
660 a-colon-domain:
661 description: >-
662 Domain-spec may contain any visible char except %
663 spec: 8.1/2
664 helo: mail.example.com
665 host: 1.2.3.4
666 mailfrom: foo@e11.example.com
667 result: pass
668 a-colon-domain-ip4mapped:
669 description: >-
670 Domain-spec may contain any visible char except %
671 spec: 8.1/2
672 helo: mail.example.com
673 host: ::FFFF:1.2.3.4
674 mailfrom: foo@e11.example.com
675 result: pass
676 a-bad-toplab:
677 description: >-
678 Toplabel may not begin with -
679 spec: 8.1/2
680 helo: mail.example.com
681 host: 1.2.3.4
682 mailfrom: foo@e12.example.com
683 result: permerror
684 zonedata:
685 mail.example.com:
686 - A: 1.2.3.4
687 e1.example.com:
688 - SPF: v=spf1 a/0 -all
689 e2.example.com:
690 - A: 1.1.1.1
691 - AAAA: 1234::2
692 - SPF: v=spf1 a/0 -all
693 e2a.example.com:
694 - AAAA: 1234::1
695 - SPF: v=spf1 a//0 -all
696 e2b.example.com:
697 - A: 1.1.1.1
698 - SPF: v=spf1 a//0 -all
699 e3.example.com:
700 - SPF: "v=spf1 a:foo.example.com\0"
701 e4.example.com:
702 - SPF: v=spf1 a:111.222.33.44
703 e5.example.com:
704 - SPF: v=spf1 a:abc.123
705 e6.example.com:
706 - SPF: v=spf1 a//33 -all
707 e6a.example.com:
708 - SPF: v=spf1 a/33 -all
709 e7.example.com:
710 - SPF: v=spf1 a//129 -all
711 e9.example.com:
712 - SPF: v=spf1 a:example.com:8080
713 e10.example.com:
714 - SPF: v=spf1 a:foo.example.com/24
715 foo.example.com:
716 - A: 1.1.1.1
717 - A: 1.2.3.5
718 e11.example.com:
719 - SPF: v=spf1 a:foo:bar/baz.example.com
720 foo:bar/baz.example.com:
721 - A: 1.2.3.4
722 e12.example.com:
723 - SPF: v=spf1 a:example.-com
724 ---
725 description: Include mechanism semantics and syntax
726 tests:
727 include-fail:
728 description: >-
729 recursive check_host() result of fail causes include to not match.
730 spec: 5.2/9
731 helo: mail.example.com
732 host: 1.2.3.4
733 mailfrom: foo@e1.example.com
734 result: softfail
735 include-softfail:
736 description: >-
737 recursive check_host() result of softfail causes include to not match.
738 spec: 5.2/9
739 helo: mail.example.com
740 host: 1.2.3.4
741 mailfrom: foo@e2.example.com
742 result: pass
743 include-neutral:
744 description: >-
745 recursive check_host() result of neutral causes include to not match.
746 spec: 5.2/9
747 helo: mail.example.com
748 host: 1.2.3.4
749 mailfrom: foo@e3.example.com
750 result: fail
751 include-temperror:
752 description: >-
753 recursive check_host() result of temperror causes include to temperror
754 spec: 5.2/9
755 helo: mail.example.com
756 host: 1.2.3.4
757 mailfrom: foo@e4.example.com
758 result: temperror
759 include-permerror:
760 description: >-
761 recursive check_host() result of permerror causes include to permerror
762 spec: 5.2/9
763 helo: mail.example.com
764 host: 1.2.3.4
765 mailfrom: foo@e5.example.com
766 result: permerror
767 include-syntax-error:
768 description: >-
769 include = "include" ":" domain-spec
770 spec: 5.2/1
771 helo: mail.example.com
772 host: 1.2.3.4
773 mailfrom: foo@e6.example.com
774 result: permerror
775 include-none:
776 description: >-
777 recursive check_host() result of none causes include to permerror
778 spec: 5.2/9
779 helo: mail.example.com
780 host: 1.2.3.4
781 mailfrom: foo@e7.example.com
782 result: permerror
783 zonedata:
784 mail.example.com:
785 - A: 1.2.3.4
786 ip5.example.com:
787 - SPF: v=spf1 ip4:1.2.3.5 -all
788 ip6.example.com:
789 - SPF: v=spf1 ip4:1.2.3.6 ~all
790 ip7.example.com:
791 - SPF: v=spf1 ip4:1.2.3.7 ?all
792 ip8.example.com:
793 - TIMEOUT
794 erehwon.example.com:
795 - TXT: v=spfl am not an SPF record
796 e1.example.com:
797 - SPF: v=spf1 include:ip5.example.com ~all
798 e2.example.com:
799 - SPF: v=spf1 include:ip6.example.com all
800 e3.example.com:
801 - SPF: v=spf1 include:ip7.example.com -all
802 e4.example.com:
803 - SPF: v=spf1 include:ip8.example.com -all
804 e5.example.com:
805 - SPF: v=spf1 include:e6.example.com -all
806 e6.example.com:
807 - SPF: v=spf1 include +all
808 e7.example.com:
809 - SPF: v=spf1 include:erehwon.example.com -all
810 ---
811 description: MX mechanism syntax
812 tests:
813 mx-cidr6:
814 description: |
815 MX = "mx" [ ":" domain-spec ] [ dual-cidr-length ]
816 dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ]
817 spec: 5.4/2
818 helo: mail.example.com
819 host: 1.2.3.4
820 mailfrom: foo@e6.example.com
821 result: fail
822 mx-bad-cidr4:
823 description: |
824 MX = "mx" [ ":" domain-spec ] [ dual-cidr-length ]
825 dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ]
826 spec: 5.4/2
827 helo: mail.example.com
828 host: 1.2.3.4
829 mailfrom: foo@e6a.example.com
830 result: permerror
831 mx-bad-cidr6:
832 description: |
833 MX = "mx" [ ":" domain-spec ] [ dual-cidr-length ]
834 dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ]
835 spec: 5.4/2
836 helo: mail.example.com
837 host: 1.2.3.4
838 mailfrom: foo@e7.example.com
839 result: permerror
840 mx-multi-ip1:
841 description: >-
842 MX matches any returned IP.
843 spec: 5.4/3
844 helo: mail.example.com
845 host: 1.2.3.4
846 mailfrom: foo@e10.example.com
847 result: pass
848 mx-multi-ip2:
849 description: >-
850 MX matches any returned IP.
851 spec: 5.4/3
852 helo: mail.example.com
853 host: 1.2.3.4
854 mailfrom: foo@e10.example.com
855 result: pass
856 mx-bad-domain:
857 description: >-
858 domain-spec must pass basic syntax checks,
859 comment: >-
860 A ':' may appear in domain-spec, but not in top-label.
861 spec: 8.1/2
862 helo: mail.example.com
863 host: 1.2.3.4
864 mailfrom: foo@e9.example.com
865 result: permerror
866 mx-nxdomain:
867 description: >-
868 If no ips are returned, MX mechanism does not match, even with /0.
869 spec: 5.4/3
870 helo: mail.example.com
871 host: 1.2.3.4
872 mailfrom: foo@e1.example.com
873 result: fail
874 mx-cidr4-0:
875 description: >-
876 Matches if any A records for any MX records are present in DNS.
877 spec: 5.4/3
878 helo: mail.example.com
879 host: 1.2.3.4
880 mailfrom: foo@e2.example.com
881 result: pass
882 mx-cidr4-0-ip6:
883 description: >-
884 Matches if any A records for any MX records are present in DNS.
885 spec: 5.4/3
886 helo: mail.example.com
887 host: 1234::1
888 mailfrom: foo@e2.example.com
889 result: fail
890 mx-cidr6-0-ip4:
891 description: >-
892 Would match if any AAAA records for MX records are present in DNS,
893 but not for an IP4 connection.
894 spec: 5.4/3
895 helo: mail.example.com
896 host: 1.2.3.4
897 mailfrom: foo@e2a.example.com
898 result: fail
899 mx-cidr6-0-ip4mapped:
900 description: >-
901 Would match if any AAAA records for MX records are present in DNS,
902 but not for an IP4 connection.
903 spec: 5.4/3
904 helo: mail.example.com
905 host: ::FFFF:1.2.3.4
906 mailfrom: foo@e2a.example.com
907 result: fail
908 mx-cidr6-0-ip6:
909 description: >-
910 Matches if any AAAA records for any MX records are present in DNS.
911 spec: 5.3/3
912 helo: mail.example.com
913 host: 1234::1
914 mailfrom: foo@e2a.example.com
915 result: pass
916 mx-cidr6-0-nxdomain:
917 description: >-
918 No match if no AAAA records for any MX records are present in DNS.
919 spec: 5.4/3
920 helo: mail.example.com
921 host: 1234::1
922 mailfrom: foo@e2b.example.com
923 result: fail
924 mx-null:
925 description: >-
926 Null not allowed in top-label.
927 spec: 8.1/2
928 helo: mail.example.com
929 host: 1.2.3.5
930 mailfrom: foo@e3.example.com
931 result: permerror
932 mx-numeric-top-label:
933 description: >-
934 Top-label may not be all numeric
935 spec: 8.1/2
936 helo: mail.example.com
937 host: 1.2.3.4
938 mailfrom: foo@e5.example.com
939 result: permerror
940 mx-colon-domain:
941 description: >-
942 Domain-spec may contain any visible char except %
943 spec: 8.1/2
944 helo: mail.example.com
945 host: 1.2.3.4
946 mailfrom: foo@e11.example.com
947 result: pass
948 mx-colon-domain-ip4mapped:
949 description: >-
950 Domain-spec may contain any visible char except %
951 spec: 8.1/2
952 helo: mail.example.com
953 host: ::FFFF:1.2.3.4
954 mailfrom: foo@e11.example.com
955 result: pass
956 mx-bad-toplab:
957 description: >-
958 Toplabel may not begin with -
959 spec: 8.1/2
960 helo: mail.example.com
961 host: 1.2.3.4
962 mailfrom: foo@e12.example.com
963 result: permerror
964 mx-empty:
965 description: >-
966 test null MX
967 comment: >-
968 Some implementations have had trouble with null MX
969 spec: 5.4/3
970 helo: mail.example.com
971 host: 1.2.3.4
972 mailfrom: ""
973 result: neutral
974 mx-implicit:
975 description: >-
976 If the target name has no MX records, check_host() MUST NOT pretend the
977 target is its single MX, and MUST NOT default to an A lookup on the
978 target-name directly.
979 spec: 5.4/4
980 helo: mail.example.com
981 host: 1.2.3.4
982 mailfrom: foo@e4.example.com
983 result: neutral
984 zonedata:
985 mail.example.com:
986 - A: 1.2.3.4
987 - MX: [0, ""]
988 - SPF: v=spf1 mx
989 e1.example.com:
990 - SPF: v=spf1 mx/0 -all
991 - MX: [0, e1.example.com]
992 e2.example.com:
993 - A: 1.1.1.1
994 - AAAA: 1234::2
995 - MX: [0, e2.example.com]
996 - SPF: v=spf1 mx/0 -all
997 e2a.example.com:
998 - AAAA: 1234::1
999 - MX: [0, e2a.example.com]
1000 - SPF: v=spf1 mx//0 -all
1001 e2b.example.com:
1002 - A: 1.1.1.1
1003 - MX: [0, e2b.example.com]
1004 - SPF: v=spf1 mx//0 -all
1005 e3.example.com:
1006 - SPF: "v=spf1 mx:foo.example.com\0"
1007 e4.example.com:
1008 - SPF: v=spf1 mx
1009 - A: 1.2.3.4
1010 e5.example.com:
1011 - SPF: v=spf1 mx:abc.123
1012 e6.example.com:
1013 - SPF: v=spf1 mx//33 -all
1014 e6a.example.com:
1015 - SPF: v=spf1 mx/33 -all
1016 e7.example.com:
1017 - SPF: v=spf1 mx//129 -all
1018 e9.example.com:
1019 - SPF: v=spf1 mx:example.com:8080
1020 e10.example.com:
1021 - SPF: v=spf1 mx:foo.example.com/24
1022 foo.example.com:
1023 - MX: [0, foo1.example.com]
1024 foo1.example.com:
1025 - A: 1.1.1.1
1026 - A: 1.2.3.5
1027 e11.example.com:
1028 - SPF: v=spf1 mx:foo:bar/baz.example.com
1029 foo:bar/baz.example.com:
1030 - MX: [ 0, "foo:bar/baz.example.com"]
1031 - A: 1.2.3.4
1032 e12.example.com:
1033 - SPF: v=spf1 mx:example.-com
1034 ---
1035 description: IP4 mechanism syntax
1036 tests:
1037 cidr4-0:
1038 description: >-
1039 ip4-cidr-length = "/" 1*DIGIT
1040 spec: 5.6/2
1041 helo: mail.example.com
1042 host: 1.2.3.4
1043 mailfrom: foo@e1.example.com
1044 result: pass
1045 cidr4-32:
1046 description: >-
1047 ip4-cidr-length = "/" 1*DIGIT
1048 spec: 5.6/2
1049 helo: mail.example.com
1050 host: 1.2.3.4
1051 mailfrom: foo@e2.example.com
1052 result: pass
1053 cidr4-33:
1054 description: >-
1055 Invalid CIDR should get permerror.
1056 comment: >-
1057 The RFC is silent on ip4 CIDR > 32 or ip6 CIDR > 128. However,
1058 since there is no reasonable interpretation (except a noop), we have
1059 read between the lines to see a prohibition on invalid CIDR.
1060 spec: 5.6/2
1061 helo: mail.example.com
1062 host: 1.2.3.4
1063 mailfrom: foo@e3.example.com
1064 result: permerror
1065 cidr4-032:
1066 description: >-
1067 Invalid CIDR should get permerror.
1068 comment: >-
1069 Leading zeros are not explicitly prohibited by the RFC. However,
1070 since the RFC explicity prohibits leading zeros in ip4-network,
1071 our interpretation is that CIDR should be also.
1072 spec: 5.6/2
1073 helo: mail.example.com
1074 host: 1.2.3.4
1075 mailfrom: foo@e4.example.com
1076 result: permerror
1077 bare-ip4:
1078 description: >-
1079 IP4 = "ip4" ":" ip4-network [ ip4-cidr-length ]
1080 spec: 5.6/2
1081 helo: mail.example.com
1082 host: 1.2.3.4
1083 mailfrom: foo@e5.example.com
1084 result: permerror
1085 bad-ip4-port:
1086 description: >-
1087 IP4 = "ip4" ":" ip4-network [ ip4-cidr-length ]
1088 comment: >-
1089 This has actually been published in SPF records.
1090 spec: 5.6/2
1091 helo: mail.example.com
1092 host: 1.2.3.4
1093 mailfrom: foo@e8.example.com
1094 result: permerror
1095 bad-ip4-short:
1096 description: >-
1097 It is not permitted to omit parts of the IP address instead of
1098 using CIDR notations.
1099 spec: 5.6/4
1100 helo: mail.example.com
1101 host: 1.2.3.4
1102 mailfrom: foo@e9.example.com
1103 result: permerror
1104 ip4-dual-cidr:
1105 description: >-
1106 dual-cidr-length not permitted on ip4
1107 spec: 5.6/2
1108 helo: mail.example.com
1109 host: 1.2.3.4
1110 mailfrom: foo@e6.example.com
1111 result: permerror
1112 ip4-mapped-ip6:
1113 description: >-
1114 IP4 mapped IP6 connections MUST be treated as IP4
1115 spec: 5/9/2
1116 helo: mail.example.com
1117 host: ::FFFF:1.2.3.4
1118 mailfrom: foo@e7.example.com
1119 result: fail
1120 zonedata:
1121 mail.example.com:
1122 - A: 1.2.3.4
1123 e1.example.com:
1124 - SPF: v=spf1 ip4:1.1.1.1/0 -all
1125 e2.example.com:
1126 - SPF: v=spf1 ip4:1.2.3.4/32 -all
1127 e3.example.com:
1128 - SPF: v=spf1 ip4:1.2.3.4/33 -all
1129 e4.example.com:
1130 - SPF: v=spf1 ip4:1.2.3.4/032 -all
1131 e5.example.com:
1132 - SPF: v=spf1 ip4
1133 e6.example.com:
1134 - SPF: v=spf1 ip4:1.2.3.4//32
1135 e7.example.com:
1136 - SPF: v=spf1 -ip4:1.2.3.4 ip6:::FFFF:1.2.3.4
1137 e8.example.com:
1138 - SPF: v=spf1 ip4:1.2.3.4:8080
1139 e9.example.com:
1140 - SPF: v=spf1 ip4:1.2.3
1141 ---
1142 description: IP6 mechanism syntax
1143 comment: >-
1144 IP4 only implementations may skip tests where host is not IP4
1145 tests:
1146 bare-ip6:
1147 description: >-
1148 IP6 = "ip6" ":" ip6-network [ ip6-cidr-length ]
1149 spec: 5.6/2
1150 helo: mail.example.com
1151 host: 1.2.3.4
1152 mailfrom: foo@e1.example.com
1153 result: permerror
1154 cidr6-0-ip4:
1155 description: >-
1156 IP4 connections do not match ip6.
1157 comment: >-
1158 There is controversy over ip4 mapped connections. RFC4408 clearly
1159 requires such connections to be considered as ip4. However,
1160 some interpret the RFC to mean that such connections should *also*
1161 match appropriate ip6 mechanisms (but not, inexplicably, A or MX
1162 mechanisms). Until there is consensus, both
1163 results are acceptable.
1164 spec: 5/9/2
1165 helo: mail.example.com
1166 host: 1.2.3.4
1167 mailfrom: foo@e2.example.com
1168 result: [neutral, pass]
1169 cidr6-ip4:
1170 description: >-
1171 Even if the SMTP connection is via IPv6, an IPv4-mapped IPv6 IP address
1172 (see RFC 3513, Section 2.5.5) MUST still be considered an IPv4 address.
1173 comment: >-
1174 There is controversy over ip4 mapped connections. RFC4408 clearly
1175 requires such connections to be considered as ip4. However,
1176 some interpret the RFC to mean that such connections should *also*
1177 match appropriate ip6 mechanisms (but not, inexplicably, A or MX
1178 mechanisms). Until there is consensus, both
1179 results are acceptable.
1180 spec: 5/9/2
1181 helo: mail.example.com
1182 host: ::FFFF:1.2.3.4
1183 mailfrom: foo@e2.example.com
1184 result: [neutral, pass]
1185 cidr6-0:
1186 description: >-
1187 Match any IP6
1188 spec: 5/8
1189 helo: mail.example.com
1190 host: DEAF:BABE::CAB:FEE
1191 mailfrom: foo@e2.example.com
1192 result: pass
1193 cidr6-129:
1194 description: >-
1195 Invalid CIDR
1196 comment: >-
1197 IP4 only implementations MUST fully syntax check all mechanisms,
1198 even if they otherwise ignore them.
1199 spec: 5.6/2
1200 helo: mail.example.com
1201 host: 1.2.3.4
1202 mailfrom: foo@e3.example.com
1203 result: permerror
1204 cidr6-bad:
1205 description: >-
1206 dual-cidr syntax not used for ip6
1207 comment: >-
1208 IP4 only implementations MUST fully syntax check all mechanisms,
1209 even if they otherwise ignore them.
1210 spec: 5.6/2
1211 helo: mail.example.com
1212 host: 1.2.3.4
1213 mailfrom: foo@e4.example.com
1214 result: permerror
1215 cidr6-33:
1216 description: >-
1217 make sure ip4 cidr restriction are not used for ip6
1218 spec: 5.6/2
1219 helo: mail.example.com
1220 host: "CAFE:BABE:8000::"
1221 mailfrom: foo@e5.example.com
1222 result: pass
1223 cidr6-33-ip4:
1224 description: >-
1225 make sure ip4 cidr restriction are not used for ip6
1226 spec: 5.6/2
1227 helo: mail.example.com
1228 host: 1.2.3.4
1229 mailfrom: foo@e5.example.com
1230 result: neutral
1231 ip6-bad1:
1232 description: >-
1233 spec: 5.6/2
1234 helo: mail.example.com
1235 host: 1.2.3.4
1236 mailfrom: foo@e6.example.com
1237 result: permerror
1238 zonedata:
1239 mail.example.com:
1240 - A: 1.2.3.4
1241 e1.example.com:
1242 - SPF: v=spf1 -all ip6
1243 e2.example.com:
1244 - SPF: v=spf1 ip6:::1.1.1.1/0
1245 e3.example.com:
1246 - SPF: v=spf1 ip6:::1.1.1.1/129
1247 e4.example.com:
1248 - SPF: v=spf1 ip6:::1.1.1.1//33
1249 e5.example.com:
1250 - SPF: v=spf1 ip6:CAFE:BABE:8000::/33
1251 e6.example.com:
1252 - SPF: v=spf1 ip6::CAFE::BABE
1253 ---
1254 description: Semantics of exp and other modifiers
1255 comment: >-
1256 Implementing exp= is optional. If not implemented, the test driver should
1257 not check the explanation field.
1258 tests:
1259 redirect-none:
1260 description: >-
1261 If no SPF record is found, or if the target-name is malformed, the result
1262 is a "PermError" rather than "None".
1263 spec: 6.1/4
1264 helo: mail.example.com
1265 host: 1.2.3.4
1266 mailfrom: foo@e10.example.com
1267 result: permerror
1268 redirect-cancels-exp:
1269 description: >-
1270 when executing "redirect", exp= from the original domain MUST NOT be used.
1271 spec: 6.2/13
1272 helo: mail.example.com
1273 host: 1.2.3.4
1274 mailfrom: foo@e1.example.com
1275 result: fail
1276 explanation: DEFAULT
1277 include-ignores-exp:
1278 description: >-
1279 when executing "include", exp= from the target domain MUST NOT be used.
1280 spec: 6.2/13
1281 helo: mail.example.com
1282 host: 1.2.3.4
1283 mailfrom: foo@e7.example.com
1284 result: fail
1285 explanation: Correct!
1286 redirect-cancels-prior-exp:
1287 description: >-
1288 when executing "redirect", exp= from the original domain MUST NOT be used.
1289 spec: 6.2/13
1290 helo: mail.example.com
1291 host: 1.2.3.4
1292 mailfrom: foo@e3.example.com
1293 result: fail
1294 explanation: See me.
1295 invalid-modifier:
1296 description: |
1297 unknown-modifier = name "=" macro-string
1298 name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." )
1299 comment: >-
1300 Unknown modifier name must begin with alpha.
1301 spec: A/3
1302 helo: mail.example.com
1303 host: 1.2.3.4
1304 mailfrom: foo@e5.example.com
1305 result: permerror
1306 empty-modifier-name:
1307 description: |
1308 name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." )
1309 comment: >-
1310 Unknown modifier name must not be empty.
1311 spec: A/3
1312 helo: mail.example.com
1313 host: 1.2.3.4
1314 mailfrom: foo@e6.example.com
1315 result: permerror
1316 dorky-sentinel:
1317 description: >-
1318 An implementation that uses a legal expansion as a sentinel. We
1319 cannot check them all, but we can check this one.
1320 comment: >-
1321 Spaces are allowed in local-part.
1322 spec: 8.1/6
1323 helo: mail.example.com
1324 host: 1.2.3.4
1325 mailfrom: "Macro Error@e8.example.com"
1326 result: fail
1327 explanation: Macro Error in implementation
1328 exp-multiple-txt:
1329 description: |
1330 Ignore exp if multiple TXT records.
1331 comment: >-
1332 If domain-spec is empty, or there are any DNS processing errors (any
1333 RCODE other than 0), or if no records are returned, or if more than one
1334 record is returned, or if there are syntax errors in the explanation
1335 string, then proceed as if no exp modifier was given.
1336 spec: 6.2/4
1337 helo: mail.example.com
1338 host: 1.2.3.4
1339 mailfrom: foo@e11.example.com
1340 result: fail
1341 explanation: DEFAULT
1342 exp-empty-domain:
1343 description: |
1344 Ignore exp if empty domain-spec.
1345 comment: >-
1346 If domain-spec is empty, or there are any DNS processing errors (any
1347 RCODE other than 0), or if no records are returned, or if more than one
1348 record is returned, or if there are syntax errors in the explanation
1349 string, then proceed as if no exp modifier was given.
1350 spec: 6.2/4
1351 helo: mail.example.com
1352 host: 1.2.3.4
1353 mailfrom: foo@e12.example.com
1354 result: fail
1355 explanation: DEFAULT
1356 exp-syntax-error:
1357 description: |
1358 Ignore exp if syntax error.
1359 comment: >-
1360 If domain-spec is empty, or there are any DNS processing errors (any
1361 RCODE other than 0), or if no records are returned, or if more than one
1362 record is returned, or if there are syntax errors in the explanation
1363 string, then proceed as if no exp modifier was given.
1364 spec: 6.2/4
1365 helo: mail.example.com
1366 host: 1.2.3.4
1367 mailfrom: foo@e13.example.com
1368 result: fail
1369 explanation: DEFAULT
1370 exp-twice:
1371 description: |
1372 exp= appears twice.
1373 comment: >-
1374 These two modifiers (exp,redirect) MUST NOT appear in a record more than
1375 once each. If they do, then check_host() exits with a result of
1376 "PermError".
1377 spec: 6/2
1378 helo: mail.example.com
1379 host: 1.2.3.4
1380 mailfrom: foo@e14.example.com
1381 result: permerror
1382 redirect-twice:
1383 description: |
1384 redirect= appears twice.
1385 comment: >-
1386 These two modifiers (exp,redirect) MUST NOT appear in a record more than
1387 once each. If they do, then check_host() exits with a result of
1388 "PermError".
1389 spec: 6/2
1390 helo: mail.example.com
1391 host: 1.2.3.4
1392 mailfrom: foo@e15.example.com
1393 result: permerror
1394 unknown-modifier-syntax:
1395 description: |
1396 unknown-modifier = name "=" macro-string
1397 comment: >-
1398 Unknown modifiers must have valid macro syntax.
1399 spec: A/3
1400 helo: mail.example.com
1401 host: 1.2.3.4
1402 mailfrom: foo@e9.example.com
1403 result: permerror
1404 zonedata:
1405 mail.example.com:
1406 - A: 1.2.3.4
1407 e1.example.com:
1408 - SPF: v=spf1 exp=exp1.example.com redirect=e2.example.com
1409 e2.example.com:
1410 - SPF: v=spf1 -all
1411 e3.example.com:
1412 - SPF: v=spf1 exp=exp1.example.com redirect=e4.example.com
1413 e4.example.com:
1414 - SPF: v=spf1 -all exp=exp2.example.com
1415 exp1.example.com:
1416 - TXT: No-see-um
1417 exp2.example.com:
1418 - TXT: See me.
1419 exp3.example.com:
1420 - TXT: Correct!
1421 exp4.example.com:
1422 - TXT: "%{l} in implementation"
1423 e5.example.com:
1424 - SPF: v=spf1 1up=foo
1425 e6.example.com:
1426 - SPF: v=spf1 =all
1427 e7.example.com:
1428 - SPF: v=spf1 include:e3.example.com -all exp=exp3.example.com
1429 e8.example.com:
1430 - SPF: v=spf1 -all exp=exp4.example.com
1431 e9.example.com:
1432 - SPF: v=spf1 -all foo=%abc
1433 e10.example.com:
1434 - SPF: v=spf1 redirect=erehwon.example.com
1435 e11.example.com:
1436 - SPF: v=spf1 -all exp=e11msg.example.com
1437 e11msg.example.com:
1438 - TXT: Answer a fool according to his folly.
1439 - TXT: Do not answer a fool according to his folly.
1440 e12.example.com:
1441 - SPF: v=spf1 exp= -all
1442 e13.example.com:
1443 - SPF: v=spf1 exp=e13msg.example.com -all
1444 e13msg.example.com:
1445 - TXT: The %{x}-files.
1446 e14.example.com:
1447 - SPF: v=spf1 exp=e13msg.example.com -all exp=e11msg.example.com
1448 e15.example.com:
1449 - SPF: v=spf1 redirect=e12.example.com -all redirect=e12.example.com
1450 ---
1451 description: Macro expansion rules
1452 tests:
1453 trailing-dot-domain:
1454 spec: 8.1/16
1455 description: >-
1456 trailing dot is ignored for domains
1457 helo: msgbas2x.cos.example.com
1458 host: 192.168.218.40
1459 mailfrom: test@example.com
1460 result: pass
1461 trailing-dot-exp:
1462 spec: 8.1
1463 description: >-
1464 trailing dot is not removed from explanation
1465 comment: >-
1466 A simple way for an implementation to ignore trailing dots on
1467 domains is to remove it when present. But be careful not to
1468 remove it for explanation text.
1469 helo: msgbas2x.cos.example.com
1470 host: 192.168.218.40
1471 mailfrom: test@exp.example.com
1472 result: fail
1473 explanation: This is a test.
1474 exp-only-macro-char:
1475 spec: 8.1/8
1476 description: >-
1477 The following macro letters are allowed only in "exp" text: c, r, t
1478 helo: msgbas2x.cos.example.com
1479 host: 192.168.218.40
1480 mailfrom: test@e2.example.com
1481 result: permerror
1482 invalid-macro-char:
1483 spec: 8.1/9
1484 description: >-
1485 A '%' character not followed by a '{', '%', '-', or '_' character
1486 is a syntax error.
1487 helo: msgbas2x.cos.example.com
1488 host: 192.168.218.40
1489 mailfrom: test@e1.example.com
1490 result: permerror
1491 exp-txt-macro-char:
1492 spec: 8.1/20
1493 description: >-
1494 For IPv4 addresses, both the "i" and "c" macros expand
1495 to the standard dotted-quad format.
1496 helo: msgbas2x.cos.example.com
1497 host: 192.168.218.40
1498 mailfrom: test@e3.example.com
1499 result: fail
1500 explanation: Connections from 192.168.218.40 not authorized.
1501 domain-name-truncation:
1502 spec: 8.1/25
1503 description: >-
1504 When the result of macro expansion is used in a domain name query, if the
1505 expanded domain name exceeds 253 characters, the left side is truncated
1506 to fit, by removing successive domain labels until the total length does
1507 not exceed 253 characters.
1508 helo: msgbas2x.cos.example.com
1509 host: 192.168.218.40
1510 mailfrom: test@somewhat.long.exp.example.com
1511 result: fail
1512 explanation: Congratulations! That was tricky.
1513 v-macro-ip4:
1514 spec: 8.1/6
1515 description: |-
1516 v = the string "in-addr" if <ip> is ipv4, or "ip6" if <ip> is ipv6
1517 helo: msgbas2x.cos.example.com
1518 host: 192.168.218.40
1519 mailfrom: test@e4.example.com
1520 result: fail
1521 explanation: 192.168.218.40 is queried as 40.218.168.192.in-addr.arpa
1522 v-macro-ip6:
1523 spec: 8.1/6
1524 description: |-
1525 v = the string "in-addr" if <ip> is ipv4, or "ip6" if <ip> is ipv6
1526 helo: msgbas2x.cos.example.com
1527 host: CAFE:BABE::1
1528 mailfrom: test@e4.example.com
1529 result: fail
1530 explanation: cafe:babe::1 is queried as 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.E.B.A.B.E.F.A.C.ip6.arpa
1531 undef-macro:
1532 spec: 8.1/6
1533 description: >-
1534 Allowed macros chars are 'slodipvh' plus 'crt' in explanation.
1535 helo: msgbas2x.cos.example.com
1536 host: CAFE:BABE::192.168.218.40
1537 mailfrom: test@e5.example.com
1538 result: permerror
1539 p-macro-ip4-novalid:
1540 spec: 8.1/22
1541 description: |-
1542 p = the validated domain name of <ip>
1543 comment: >-
1544 The PTR in this example does not validate.
1545 helo: msgbas2x.cos.example.com
1546 host: 192.168.218.40
1547 mailfrom: test@e6.example.com
1548 result: fail
1549 explanation: connect from unknown
1550 p-macro-ip4-valid:
1551 spec: 8.1/22
1552 description: |-
1553 p = the validated domain name of <ip>
1554 comment: >-
1555 If a subdomain of the <domain> is present, it SHOULD be used.
1556 helo: msgbas2x.cos.example.com
1557 host: 192.168.218.41
1558 mailfrom: test@e6.example.com
1559 result: fail
1560 explanation: connect from mx.example.com
1561 p-macro-ip6-novalid:
1562 spec: 8.1/22
1563 description: |-
1564 p = the validated domain name of <ip>
1565 comment: >-
1566 The PTR in this example does not validate.
1567 helo: msgbas2x.cos.example.com
1568 host: CAFE:BABE::1
1569 mailfrom: test@e6.example.com
1570 result: fail
1571 explanation: connect from unknown
1572 p-macro-ip6-valid:
1573 spec: 8.1/22
1574 description: |-
1575 p = the validated domain name of <ip>
1576 comment: >-
1577 If a subdomain of the <domain> is present, it SHOULD be used.
1578 helo: msgbas2x.cos.example.com
1579 host: CAFE:BABE::3
1580 mailfrom: test@e6.example.com
1581 result: fail
1582 explanation: connect from mx.example.com
1583 p-macro-multiple:
1584 spec: 8.1/22
1585 description: |-
1586 p = the validated domain name of <ip>
1587 comment: >-
1588 If a subdomain of the <domain> is present, it SHOULD be used.
1589 helo: msgbas2x.cos.example.com
1590 host: 192.168.218.42
1591 mailfrom: test@e7.example.com
1592 result: [ pass, softfail ]
1593 upper-macro:
1594 spec: 8.1/26
1595 description: >-
1596 Uppercased macros expand exactly as their lowercased equivalents,
1597 and are then URL escaped.
1598 helo: msgbas2x.cos.example.com
1599 host: 192.168.218.42
1600 mailfrom: jack&jill=up@e8.example.com
1601 result: fail
1602 explanation: http://example.com/why.html?l=jack%26jill%3Dup
1603 hello-macro:
1604 spec: 8.1/6
1605 description: |-
1606 h = HELO/EHLO domain
1607 helo: msgbas2x.cos.example.com
1608 host: 192.168.218.40
1609 mailfrom: test@e9.example.com
1610 result: pass
1611 invalid-hello-macro:
1612 spec: 8.1/2
1613 description: |-
1614 h = HELO/EHLO domain, but HELO is invalid
1615 comment: >-
1616 Domain-spec must end in either a macro, or a valid toplabel.
1617 It is not correct to check syntax after macro expansion.
1618 helo: "JUMPIN' JUPITER"
1619 host: 192.168.218.40
1620 mailfrom: test@e9.example.com
1621 result: fail
1622 require-valid-helo:
1623 spec: 8.1/6
1624 description: >-
1625 Example of requiring valid helo in sender policy.
1626 helo: OEMCOMPUTER
1627 host: 1.2.3.4
1628 mailfrom: test@e10.example.com
1629 result: fail
1630 zonedata:
1631 example.com.d.spf.example.com:
1632 - SPF: v=spf1 redirect=a.spf.example.com
1633 a.spf.example.com:
1634 - SPF: v=spf1 include:o.spf.example.com. ~all
1635 o.spf.example.com:
1636 - SPF: v=spf1 ip4:192.168.218.40
1637 msgbas2x.cos.example.com:
1638 - A: 192.168.218.40
1639 example.com:
1640 - A: 192.168.90.76
1641 - SPF: v=spf1 redirect=%{d}.d.spf.example.com.
1642 exp.example.com:
1643 - SPF: v=spf1 exp=msg.example.com. -all
1644 msg.example.com:
1645 - TXT: This is a test.
1646 e1.example.com:
1647 - SPF: v=spf1 -exists:%(ir).sbl.example.com ?all
1648 e2.example.com:
1649 - SPF: v=spf1 -all exp=%{r}.example.com
1650 e3.example.com:
1651 - SPF: v=spf1 -all exp=%{ir}.example.com
1652 40.218.168.192.example.com:
1653 - TXT: Connections from %{c} not authorized.
1654 somewhat.long.exp.example.com:
1655 - SPF: v=spf1 -all exp=foobar.%{o}.%{o}.%{o}.%{o}.%{o}.%{o}.%{o}.%{o}.example.com
1656 somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.example.com:
1657 - TXT: Congratulations! That was tricky.
1658 e4.example.com:
1659 - SPF: v=spf1 -all exp=e4msg.example.com
1660 e4msg.example.com:
1661 - TXT: "%{c} is queried as %{ir}.%{v}.arpa"
1662 e5.example.com:
1663 - SPF: v=spf1 a:%{a}.example.com -all
1664 e6.example.com:
1665 - SPF: v=spf1 -all exp=e6msg.example.com
1666 e6msg.example.com:
1667 - TXT: "connect from %{p}"
1668 mx.example.com:
1669 - A: 192.168.218.41
1670 - A: 192.168.218.42
1671 - AAAA: CAFE:BABE::2
1672 - AAAA: CAFE:BABE::3
1673 40.218.168.192.in-addr.arpa:
1674 - PTR: mx.example.com
1675 41.218.168.192.in-addr.arpa:
1676 - PTR: mx.example.com
1677 42.218.168.192.in-addr.arpa:
1678 - PTR: mx.example.com
1679 - PTR: mx.e7.example.com
1680 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.E.B.A.B.E.F.A.C.ip6.arpa:
1681 - PTR: mx.example.com
1682 3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.E.B.A.B.E.F.A.C.ip6.arpa:
1683 - PTR: mx.example.com
1684 mx.e7.example.com:
1685 - A: 192.168.218.42
1686 mx.e7.example.com.should.example.com:
1687 - A: 127.0.0.2
1688 mx.example.com.ok.example.com:
1689 - A: 127.0.0.2
1690 e7.example.com:
1691 - SPF: v=spf1 exists:%{p}.should.example.com ~exists:%{p}.ok.example.com
1692 e8.example.com:
1693 - SPF: v=spf1 -all exp=msg8.%{D2}
1694 msg8.example.com:
1695 - TXT: "http://example.com/why.html?l=%{L}"
1696 e9.example.com:
1697 - SPF: v=spf1 a:%{H} -all
1698 e10.example.com:
1699 - SPF: v=spf1 -include:_spfh.%{d2} ip4:1.2.3.0/24 -all
1700 _spfh.example.com:
1701 - SPF: v=spf1 -a:%{h} +all
1702 ---
1703 description: Processing limits
1704 tests:
1705 redirect-loop:
1706 description: >-
1707 SPF implementations MUST limit the number of mechanisms and modifiers
1708 that do DNS lookups to at most 10 per SPF check.
1709 spec: 10.1/6
1710 helo: mail.example.com
1711 host: 1.2.3.4
1712 mailfrom: foo@e1.example.com
1713 result: permerror
1714 include-loop:
1715 description: >-
1716 SPF implementations MUST limit the number of mechanisms and modifiers
1717 that do DNS lookups to at most 10 per SPF check.
1718 spec: 10.1/6
1719 helo: mail.example.com
1720 host: 1.2.3.4
1721 mailfrom: foo@e2.example.com
1722 result: permerror
1723 mx-limit:
1724 description: >-
1725 there MUST be a limit of no more than 10 MX looked up and checked.
1726 comment: >-
1727 The required result for this test was the subject of much
1728 controversy. Many felt that the RFC *should* have specified
1729 permerror, but the consensus was that it failed to actually do so.
1730 The preferred result reflects evaluating the 10 allowed MX records in the
1731 order returned by the test data - or sorted via priority.
1732 If testing with live DNS, the MX order may be random, and a pass
1733 result would still be compliant. The SPF result is effectively
1734 random.
1735 spec: 10.1/7
1736 helo: mail.example.com
1737 host: 1.2.3.5
1738 mailfrom: foo@e4.example.com
1739 result: [neutral, pass]
1740 ptr-limit:
1741 description: >-
1742 there MUST be a limit of no more than 10 PTR looked up and checked.
1743 comment: >-
1744 The result of this test cannot be permerror not only because the
1745 RFC does not specify it, but because the sender has no control over
1746 the PTR records of spammers.
1747 The preferred result reflects evaluating the 10 allowed PTR records in
1748 the order returned by the test data.
1749 If testing with live DNS, the PTR order may be random, and a pass
1750 result would still be compliant. The SPF result is effectively
1751 randomized.
1752 spec: 10.1/7
1753 helo: mail.example.com
1754 host: 1.2.3.5
1755 mailfrom: foo@e5.example.com
1756 result: [neutral, pass]
1757 mech-at-limit:
1758 description: >-
1759 SPF implementations MUST limit the number of mechanisms and modifiers
1760 that do DNS lookups to at most 10 per SPF check.
1761 spec: 10.1/6
1762 helo: mail.example.com
1763 host: 1.2.3.4
1764 mailfrom: foo@e6.example.com
1765 result: pass
1766 mech-over-limit:
1767 description: >-
1768 SPF implementations MUST limit the number of mechanisms and modifiers
1769 that do DNS lookups to at most 10 per SPF check.
1770 comment: >-
1771 We do not check whether an implementation counts mechanisms before
1772 or after evaluation. The RFC is not clear on this.
1773 spec: 10.1/6
1774 helo: mail.example.com
1775 host: 1.2.3.4
1776 mailfrom: foo@e7.example.com
1777 result: permerror
1778 include-at-limit:
1779 description: >-
1780 SPF implementations MUST limit the number of mechanisms and modifiers
1781 that do DNS lookups to at most 10 per SPF check.
1782 comment: >-
1783 The part of the RFC that talks about MAY parse the entire record first
1784 (4.6) is specific to syntax errors. Processing limits is a different,
1785 non-syntax issue. Processing limits (10.1) specifically talks about
1786 limits during a check.
1787 spec: 10.1/6
1788 helo: mail.example.com
1789 host: 1.2.3.4
1790 mailfrom: foo@e8.example.com
1791 result: pass
1792 include-over-limit:
1793 description: >-
1794 SPF implementations MUST limit the number of mechanisms and modifiers
1795 that do DNS lookups to at most 10 per SPF check.
1796 spec: 10.1/6
1797 helo: mail.example.com
1798 host: 1.2.3.4
1799 mailfrom: foo@e9.example.com
1800 result: permerror
1801 zonedata:
1802 mail.example.com:
1803 - A: 1.2.3.4
1804 e1.example.com:
1805 - SPF: v=spf1 ip4:1.1.1.1 redirect=e1.example.com
1806 e2.example.com:
1807 - SPF: v=spf1 include:e3.example.com
1808 e3.example.com:
1809 - SPF: v=spf1 include:e2.example.com
1810 e4.example.com:
1811 - SPF: v=spf1 mx
1812 - MX: [0, mail.example.com]
1813 - MX: [1, mail.example.com]
1814 - MX: [2, mail.example.com]
1815 - MX: [3, mail.example.com]
1816 - MX: [4, mail.example.com]
1817 - MX: [5, mail.example.com]
1818 - MX: [6, mail.example.com]
1819 - MX: [7, mail.example.com]
1820 - MX: [8, mail.example.com]
1821 - MX: [9, mail.example.com]
1822 - MX: [10, e4.example.com]
1823 - A: 1.2.3.5
1824 e5.example.com:
1825 - SPF: v=spf1 ptr
1826 - A: 1.2.3.5
1827 5.3.2.1.in-addr.arpa:
1828 - PTR: e1.example.com.
1829 - PTR: e2.example.com.
1830 - PTR: e3.example.com.
1831 - PTR: e4.example.com.
1832 - PTR: example.com.
1833 - PTR: e6.example.com.
1834 - PTR: e7.example.com.
1835 - PTR: e8.example.com.
1836 - PTR: e9.example.com.
1837 - PTR: e10.example.com.
1838 - PTR: e5.example.com.
1839 e6.example.com:
1840 - SPF: v=spf1 a mx a mx a mx a mx a ptr ip4:1.2.3.4 -all
1841 e7.example.com:
1842 - SPF: v=spf1 a mx a mx a mx a mx a ptr a ip4:1.2.3.4 -all
1843 e8.example.com:
1844 - SPF: v=spf1 a include:inc.example.com ip4:1.2.3.4 mx -all
1845 inc.example.com:
1846 - SPF: v=spf1 a a a a a a a a
1847 e9.example.com:
1848 - SPF: v=spf1 a include:inc.example.com a ip4:1.2.3.4 -all

Properties

Name Value
svn:eol-style native
svn:keywords Author Date Id Rev URL
svn:mime-type text/yaml

Subversion Admin">Subversion Admin
ViewVC Help
Powered by ViewVC 1.1.5