1. SPF/RFC
1.1. 7208
RFC 7208 Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1
https://datatracker.ietf.org/doc/html/rfc7208
Abstract
Email on the Internet can be forged in a number of ways. In particular, existing protocols place no restriction on what a sending host can use as the "MAIL FROM" of a message or the domain given on the SMTP HELO/EHLO commands. This document describes version 1 of the Sender Policy Framework (SPF) protocol, whereby ADministrative Management Domains (ADMDs) can explicitly authorize the hosts that are allowed to use their domain names, and a receiving host can check such authorization. This document obsoletes RFC 4408.
1.2. "MAIL FROM" HELO/EHLO identity
2.1. Publishing Authorization
- An SPF-compliant domain publishes valid SPF records as described in Section 3.
These records authorize the use of the relevant domain names in the "HELO" and "MAIL FROM" identities by the MTAs specified therein.
4. The check_host() Function
4.4. Record Lookup
- In accordance with how the records are published (see Section 3 above),
a DNS query needs to be made for the <domain> name, querying for type TXT only. If the DNS lookup returns a server failure (RCODE 2) or some other error (RCODE other than 0 or 3), or if the lookup times out, then check_host() terminates immediately with the result "temperror". When a mechanism matches and the qualifier is "-", then a "fail" result is returned and the explanation string is computed as described in Section 6.2.
1.3. 5.2. "include"
- If it returns not-match or an error, the parent check_host()
- resumes processing as per the table below, with the previous
value of <domain> restored.
- resumes processing as per the table below, with the previous
In hindsight, the name "include" was poorly chosen.
Only the evaluated result of the referenced SPF record is used, rather than
- literally including the mechanisms of the referenced record in the first.
For example, evaluating a "-all" directive in the referenced
- record does not terminate the overall processing and does not necessarily result in an overall "fail".
(Better names for this
- mechanism would have been "if-match", "on-match", etc.)
1.4. history
https://datatracker.ietf.org/doc/html/rfc4408