libspf2
libspf2 copied to clipboard
shevek
Fails to locate the SPF record if there are too many TXT records (non-spf related)?
Libspf2 version 1.2.10 (on Debian 12). Exim, which uses SPF checks in my setup, gave me a failed SPF check on an email. I looked into the issue and it seems to me that it should actually pass.
The sender domain is wolterskluwer.com, that has 59 TXT records in its DNS. The SPF record is quite convoluted, and I was expecting some sort of failure in recursively handling the included records, since the IP that failed was one of salesforce that is the last inclusion and also uses a complex construct.
But it seems it's something far more easy, since the command
spfquery -debug=3 -ip=13.48.121.234 -sender=wolterskluwer.com
that is the "manual" query for the email that failed SPF test, gives an output that states:
Response result: none
Response reason: (invalid reason)
Response err: Could not find a valid SPF record
While in the (long) series of TXT records that are resolved, there is one SPF record that seems valid to me.
v=spf1 include:spf.wolterskluwer.com include:spf2.wolterskluwer.com ~all
So why does it not find the SPF record, if there is one?
This is the complete output of the command:
root@mail:~# spfquery -debug=3 -ip=13.48.121.234 -sender=wolterskluwer.com
spf_compile.c:523 Debug: Parsing macro starting at Please%_see%_http://www.openspf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}
spf_compile.c:1210 Debug: Compiling record v=spf1
spf_dns.c:52 Debug: DNS[cache] lookup: wolterskluwer.com TXT (16)
spf_dns.c:52 Debug: DNS[resolv] lookup: wolterskluwer.com TXT (16)
spf_dns_resolv.c:373 Debug: msg id: 14931
spf_dns_resolv.c:374 Debug: ns_f_qr quest/resp: 1
spf_dns_resolv.c:375 Debug: ns_f_opcode: 0
spf_dns_resolv.c:376 Debug: ns_f_aa auth ans: 0
spf_dns_resolv.c:377 Debug: ns_f_tc truncated: 0
spf_dns_resolv.c:378 Debug: ns_f_rd rec desire: 1
spf_dns_resolv.c:379 Debug: ns_f_ra rec avail: 1
spf_dns_resolv.c:380 Debug: ns_f_rcode: 0
spf_dns_resolv.c:397 Debug: QUESTION: 1
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 0 rdlen: 0
spf_dns_resolv.c:397 Debug: ANSWER: 59
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 69
spf_dns_resolv.c:189 Debug: TXT: (69) "google-site-verification=ywVSRjOexLUXVkkpNhqZfwFS2l-6R2crzhd2lFxUFgw"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 27
spf_dns_resolv.c:189 Debug: TXT: (27) "guq8n01it8rupor8ia83stm3bh"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 39
spf_dns_resolv.c:189 Debug: TXT: (39) "include:2514384.spf01.hubspotemail.net"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 91
spf_dns_resolv.c:189 Debug: TXT: (91) "infoblox-domain-mastery=adb31d2b1afac0084e4e8f613b765db3c2cc1d98b82be38edc2ea8592aff361d6f"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 27
spf_dns_resolv.c:189 Debug: TXT: (27) "jr9rbnjgqdmfipgi937jicmaaf"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 59
spf_dns_resolv.c:189 Debug: TXT: (59) "miro-verification=b340eda66068713da1270f9a088b3a6321437550"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 59
spf_dns_resolv.c:189 Debug: TXT: (59) "mongodb-site-verification=dFf26Ndsw41azW7RYmjERbxwobKdnwEZ"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 59
spf_dns_resolv.c:189 Debug: TXT: (59) "mongodb-site-verification=wF12L3hiqjWgEKZzDWIvMVd1TAdxpH4v"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 60
spf_dns_resolv.c:189 Debug: TXT: (60) "ms-domain-verification=af2670bc-a493-492d-83e7-bdb3fa614f77"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 62
spf_dns_resolv.c:189 Debug: TXT: (62) "onetrust-domain-verification=23ce9e8b7cff4eda8af0baed1cdb15a3"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 62
spf_dns_resolv.c:189 Debug: TXT: (62) "onetrust-domain-verification=bd102e022878455981dad00ca02fdd4b"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 219
spf_dns_resolv.c:189 Debug: TXT: (219) "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrJEIraG8h46y8Dxz2q4RWZScghFJDQQ8dnRQQ03C29Mg1zNCl36VbbI2vlFHqNHJRjTKju0TpB+FWtl1oOoC0QtyXz1IF2iRBmhuAPv+bl++Lxd8SjJobxmH3m1QVR/fIgjl0VAwRx+8LyIuoGnV2aURmX51GxYbqN8QiOBGfJQIDAQAB"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 78
spf_dns_resolv.c:189 Debug: TXT: (78) "pardot399122=16f9e555fa72bf66fb94d456e33b8f296c38f8d90a9ae3ce008a438f62f59998"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 78
spf_dns_resolv.c:189 Debug: TXT: (78) "pardot399122=2538123cd4b3e7521a32c996a29167b6f9343f080bb2839c8357c4cf88296d93"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 78
spf_dns_resolv.c:189 Debug: TXT: (78) "pardot731913=9863868c6fcf0df7517a117554e0f28404239711905d61285dadf06ea7f9f073"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 78
spf_dns_resolv.c:189 Debug: TXT: (78) "pardot920163=b7c01dbcb02bca1a32f37d979278841760a29019cf037e9c32a65bef6c7f4d2b"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 78
spf_dns_resolv.c:189 Debug: TXT: (78) "pardot940253=01ee10a5a7f38916487035c9ae27a61e0eed5bbf437d4abe5713b3d85703445c"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 78
spf_dns_resolv.c:189 Debug: TXT: (78) "pardot956672=3977093e47e13a1f6616e6e3ff3ba60cc59250c46a3278a0c717d1d28f0e60cf"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 81
spf_dns_resolv.c:189 Debug: TXT: (81) "pardot_339101_*=19a3ad356911ad658191ee53fe77578a09a0449f276fc05b71c5e70abe3c689b"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 63
spf_dns_resolv.c:189 Debug: TXT: (63) "pendo-domain-verification=7428f1bd-3f32-494d-b531-36ec10e48998"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 33
spf_dns_resolv.c:189 Debug: TXT: (33) "qrlhm62nb70w4x0vhkfc4jpcz1vtrbvk"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 60
spf_dns_resolv.c:189 Debug: TXT: (60) "smartsheet-site-validation=-xI1dNinRpBX0uPxZ7RGnUXTpqJRBhC7"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 60
spf_dns_resolv.c:189 Debug: TXT: (60) "smartsheet-site-validation=RGh7XSGBZQctusgOoyeSS02qGZXvbehG"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 44
spf_dns_resolv.c:189 Debug: TXT: (44) "tbNcJoU9-Tht3-06lrylve8xidLi1xL_MZ-rfktjF2U"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 61
spf_dns_resolv.c:189 Debug: TXT: (61) "teamviewer-sso-verification=6f4ec27c1c0f4a4587a2d755655a17e8"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 27
spf_dns_resolv.c:189 Debug: TXT: (27) "ttddhaurm178j8868jk9uq9c87"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 73
spf_dns_resolv.c:189 Debug: TXT: (73) "v=spf1 include:spf.wolterskluwer.com include:spf2.wolterskluwer.com ~all"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 27
spf_dns_resolv.c:189 Debug: TXT: (27) "vmdcokv0qbp29furn8t0c4f3fh"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 74
spf_dns_resolv.c:189 Debug: TXT: (74) "zapier-domain-verification-challenge=4b511ccb-3a51-476b-9167-779d3ba43f82"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 14
spf_dns_resolv.c:189 Debug: TXT: (14) "212.211.139.9"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 28
spf_dns_resolv.c:189 Debug: TXT: (28) "297ofielbvsohkd0it4691h809."
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 27
spf_dns_resolv.c:189 Debug: TXT: (27) "4801eq6erlnsoctq8hofhjv0hj"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 81
spf_dns_resolv.c:189 Debug: TXT: (81) "486uvl44q2o3emo6ivaeqbsth5�6osfhgr2vbr412cvqa884q9kis�qqc6bto6asi0qib84gk5rq3gsp"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 116
spf_dns_resolv.c:189 Debug: TXT: (116) "5npvvhrq1pmra39utam58hj7ooXf5CGo5aJX1Qm2yHEkFF5EgLc4o7K3H4T3ENWtD+jVcQ3nqJ0KyjmmBaygbFGSKg9tVNSSkNHqOhZtF6UikHl5A=="
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 45
spf_dns_resolv.c:189 Debug: TXT: (45) "AK9oV9D8nCBDAO7zwsYIYP4TjmzUHkmYR4j+r9+0Lb4="
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 14
spf_dns_resolv.c:189 Debug: TXT: (14) "MS=ms42247502"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 14
spf_dns_resolv.c:189 Debug: TXT: (14) "MS=ms55391449"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 14
spf_dns_resolv.c:189 Debug: TXT: (14) "MS=ms87676732"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 67
spf_dns_resolv.c:189 Debug: TXT: (67) "UK-federation-domain-verification=bdb129f6c29f5ec35ac5ea89256845aa"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 75
spf_dns_resolv.c:189 Debug: TXT: (75) "_globalsign-domain-verification=yUo6O2RtxlXLZv4CbvSUDEZkUjIpzvwA9Sn6TY60cZ"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 93
spf_dns_resolv.c:189 Debug: TXT: (93) "adobe-idp-site-verification=71d8f4410b4807380d4bb9fecb30c08510e3607259a347930011d501c121b533"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 55
spf_dns_resolv.c:189 Debug: TXT: (55) "adobe-sign-verification=9827dfe51d191327d94c28cc5a7408"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 55
spf_dns_resolv.c:189 Debug: TXT: (55) "amazonses:++7bjPYzAVzIb7vRY7gcpuR2ZBj8gM/8+Fq92swBQ1k="
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 55
spf_dns_resolv.c:189 Debug: TXT: (55) "amazonses:QHC7y2VAe0O8nNHT3JDkUXUa59aTw1ofNa6G4duBq8k="
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 55
spf_dns_resolv.c:189 Debug: TXT: (55) "amazonses:UKsa+MYyxR+QvMAGbK8OHKLJEkftgzHXCngwMUcuFk0="
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 55
spf_dns_resolv.c:189 Debug: TXT: (55) "amazonses:XhNn1iKEO3jQlI+mHoGb/8L2Zzp7LZ4uchN8scgCtPk="
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 55
spf_dns_resolv.c:189 Debug: TXT: (55) "amazonses:fvjlL07yFXQv7HPmcglJoFTV4HlZnobrF23+Zd0U02U="
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 43
spf_dns_resolv.c:189 Debug: TXT: (43) "apple-domain-verification=OXig4YYzfeVgSKCv"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 95
spf_dns_resolv.c:189 Debug: TXT: (95) "atlassian-domain-verification=S0EsB3OGmz8aVfKkL4fAicw+tRifQYq6RaTof4x+lQSUzqe8Fa5Wh/RpPWnXDVfb"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 95
spf_dns_resolv.c:189 Debug: TXT: (95) "atlassian-domain-verification=ieukIwCs8lAYgj2Gr8GVbwL8TNrXQaDX4iTn3F5LvYTAouhJRocDSb6wTMgmSpmo"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 75
spf_dns_resolv.c:189 Debug: TXT: (75) "atlassian-sending-domain-verification=9def40a0-d875-410d-849b-a9c133df525d"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 92
spf_dns_resolv.c:189 Debug: TXT: (92) "ciscocidomainverification=5b4d39d56d9dc011a1130866c495cdb637ae94362c5aefd486d37220441d212a "
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 57
spf_dns_resolv.c:189 Debug: TXT: (57) "docker-verification=d54a73e0-7977-442e-91ec-04a44f6a8d6e"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 44
spf_dns_resolv.c:189 Debug: TXT: (44) "ew5wnbqfQB8q_0J3-pn0HmZkeeG_8feTOMSu_RIOHd4"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 27
spf_dns_resolv.c:189 Debug: TXT: (27) "fvfr100et2b0id92dmd44h3op1"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 69
spf_dns_resolv.c:189 Debug: TXT: (69) "google-site-verification=-B1drrdX9tP6UkHwxLgXKADRY4WDv90zb7tyAbEBW7M"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 69
spf_dns_resolv.c:189 Debug: TXT: (69) "google-site-verification=Eczb5xbhxT7APoPD8fKoJL5Tqd94rVHQqUphzbsDw6A"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 69
spf_dns_resolv.c:189 Debug: TXT: (69) "google-site-verification=LojBcpjTQSq3XZTO7yjIwCz4OrYVoUvYsval6lTjVJ4"
spf_dns_resolv.c:416 Debug: name: wolterskluwer.com type: 16 class: 1 ttl: 10 rdlen: 69
spf_dns_resolv.c:189 Debug: TXT: (69) "google-site-verification=yA0NUcrAvyJogh_v1xPgc_UgXT_eQ9ohwOAStrYAU-w"
spf_dns_resolv.c:397 Debug: AUTHORITY: 0
spf_dns_resolv.c:397 Debug: ADDITIONAL: 0
spf_dns.c:66 Debug: DNS[resolv] found record
spf_dns.c:67 Debug: DOMAIN: wolterskluwer.com TYPE: TXT (16)
spf_dns.c:70 Debug: TTL: 0 RR found: 0 herrno: 4 source: resolv
spf_dns.c:66 Debug: DNS[cache] found record
spf_dns.c:67 Debug: DOMAIN: wolterskluwer.com TYPE: TXT (16)
spf_dns.c:70 Debug: TTL: 0 RR found: 0 herrno: 4 source: resolv
spf_server.c:371 Debug: get_record(wolterskluwer.com): NO_DATA
--vv--
Context: Main query
Response result: none
Response reason: (invalid reason)
Response err: Could not find a valid SPF record
StartError
ErrorCode: (2) Could not find a valid SPF record
Error: No DNS data for 'wolterskluwer.com'.
EndError
--^^--
StartError
Context: Failed to query MAIL-FROM
ErrorCode: (2) Could not find a valid SPF record
Error: No DNS data for 'wolterskluwer.com'.
EndError
none
spfquery: domain of wolterskluwer.com does not provide an SPF record
Received-SPF: none (spfquery: domain of wolterskluwer.com does not provide an SPF record) client-ip=13.48.121.234; [email protected];
Edit to add: I checked the SPF query with this tool: https://www.kitterman.com/spf/validate.html and it passes, as I expected.
