Validating SPF records (e.g. too many dns lookups)

Question

Validating SPF records (e.g. too many dns lookups)

greggles opened this issue 3 years ago · comments

Hello,

I'd like to use this library to create a command for some nightly automation that would validate DNS records for people. One of the problems I want to try to avoid is that a vendor who is added via an include adjusts their record to add another DNS lookup and then it breaks the validity of my record.

As a basic proof of concept, I composer require mlocati/spf-lib and then run this with php -f main.php:

<?php

require 'vendor/autoload.php';

use SPFLib\Checker;
use SPFLib\Check\Environment;

$checker = new Checker();
$checkResult = $checker->check(new Environment('69.174.82.0', 'maf.link'));

print $checkResult->getCode() . PHP_EOL;
print_r($checkResult->getMessages());

$checkResult = $checker->check(new Environment('104.47.55.110', 'maf.link'));
print $checkResult->getCode() . PHP_EOL;
print_r($checkResult->getMessages());

What I find is that the first check says there is a permerror Too many DNS lookups have been performed (max limit is 10). The second check counts 3 DNS lookups then finds the IP and returns with success. I would expect that it should return the same pemrerror in both cases because the record itself is invalid.

Is this behavior of the library intentional?

Thanks in advance for any insight you can share.

Michele Locati · Answer 1 · Tue Oct 12 2021 22:55:52 GMT+0800 (China Standard Time)

Did you try to see what's happening with xdebug?

Greg Knaddison · Answer 2 · Wed Oct 13 2021 05:51:26 GMT+0800 (China Standard Time)

Thanks for the quick response.

I didn't yet - was curious what your philosophical perspective was first :)

nd · Answer 3 · Wed May 11 2022 22:32:53 GMT+0800 (China Standard Time)

Hi, I have a question that would match the topic, ~~but I'm not sure if it's maybe a different issue~~ so I append it:

When I validate a SPF record using the SemanticValidator, only the directly required DNS Lookups seem to be counted - but not those from the included SPF records. This leads to a valid result, even the SPF record is in fact invalid.

Are there plans to support counting DNS lookups for included SPF records also? Or should I implement this by myself?

Btw. I see that OnlineSemanticValidator does count everything, but it's not possible to get the counted number.

ITC-KEDA · Answer 4 · Wed Feb 22 2023 05:38:41 GMT+0800 (China Standard Time)

This could be cool, if we could get the count out of OnlineSemanticValidator