UP­DATE: There is *an­oth­er* *bet­ter* test suite It is in YAM­L, though, so I need to parse it be­fore I can use it, but that's my prob­lem.

It's hav­ing a test suite that makes no sense.

I have writ­ten, for my ra-­plu­g­ins project (y­ou don't have to know what it is for this post any­way) a piece of code that tries to check mail senders us­ing SPF.

SPF is an open stan­dard. It has stan­dard im­ple­men­ta­tion­s. It has a test suite (http://www.schlit­t.net/spf/test­s/).

The test suite says this:

spf­query -ip=192.0.2.1 -sender=05.spf1-test.­mail­zone.­com -h­elo=05.spf1-test.­mail­zone.­com re­sult /.*/ fail smt­p-­com­ment /.*/ ex­pla­na­tion head­er-­com­ment /.*/ spf­query: do­main of 05.spf1-test.­mail­zone.­com does not des­ig­nate 192.0.2.1 as per­mit­ted sender re­ceived-spf /.*/ Re­ceived-SPF: fail (spf­query: do­main of 05.spf1-test.­mail­zone.­com does not des­ig­nate 192.0.2.1 as per­mit­ted sender) clien­t-ip=192.0.2.1; en­velope-from=­post­mas­ter@05.spf1-test.­mail­zone.­com; helo=05.spf1-test.­mail­zone.­com;

So, yeah:

$ spfquery -ip=192.0.2.1 -sender=05.spf1-test.mailzone.com -helo=05.spf1-test.mailzone.com
fail
Please see http://www.openspf.org/why.html?sender=05.spf1-test.mailzone.com&ip=192.0.2.1&receiver=spfquery
spfquery: domain of 05.spf1-test.mailzone.com does not designate 192.0.2.1 as permitted sender
Received-SPF: fail (spfquery: domain of 05.spf1-test.mailzone.com does not designate
192.0.2.1 as permitted sender) client-ip=192.0.2.1;
envelope-from=05.spf1-test.mailzone.com; helo=05.spf1-test.mailzone.com;

So, the stan­dard im­ple­men­ta­tion does what the test suite says.

Too bad that, if you both­er check­ing the URL you are told to "please see"...

The do­main 05.spf1-test.­mail­zone.­com has pub­lished an SPF pol­i­cy, how­ev­er the pol­i­cy is neu­tral on whether 192.0.2.1 is au­tho­rized to send mail on its be­half.

Ei­ther both the test suite and the sam­ple im­ple­men­ta­tion are wrong, or the site is wrong. And I am lean­ing to­wards "the test suite is wrong", be­cause...

$ host -t txt 05.spf1-test.mailzone.com
05.spf1-test.mailzone.com descriptive text "v=spf1 default=deny"

If you check the record syn­tax (http://www.open­spf.org/SPF_Record_Syn­tax) de­fault is an un­known mod­i­fier, and should be ig­nored, so the record is sim­ply "v=spf1", and in­deed the re­sult is neu­tral and there is no rea­son why this should be a fail.