[Rspamd-Users] Multiple SPF-Received, R_SPF_ALLOW, expected R_SPF_FAIL

[G.W. Haywood]

Hi there,

On Sun, 24 Sep 2023, Scott Serr wrote:

> I have back to back Received-SPF: headers.  The last one (the top
> one?) fails with PermError ...

It doesn't "fail with permerror".  In SPF parlance permerror does not
mean fail.  It means that something went wrong, and the SPF record
could not be used to validate the connection or otherwise.  Refer to
RFC7208, especially sections 2.6.7, 8.7, and appendix G.3.

You face a slightly difficult choice when the result is permerror.
Assuming it's a genuine header/record, most of the time I personally
would reject just to let the sender know that they have a problem.
Otherwise they'll never fix it.  But in the past I've seen quite a few
legitimate businesses (1) get it so completely round their necks and
(2) reply to my problem reports with "it must be your fault because
google ..." or some such nonsense that I've simply had to ignore their
broken SPF records, sometimes for years.  That's less of a problem now
that more people are starting to get the hang of it.  But they still
mostly think that all that matters it that the result is pass, and it
doesn't matter if the SPF record is *incapable* of producing a fail,
which I'm afraid is still a very common problem.  Last time I looked
that applied to about 30% of the records in existence.

You are right to question whether the last record is the top one.  In
theory only the first Received-SPF header is to be taken as valid, but
even that needs to be treated with caution because it might be forged.
You can't just blindly accept the first one you find, but if it looks
genuine, and the result from it is permerror, there isn't an option to
fall back to a later record nor anything of that kind.

You'll frequently see Microsoft servers mess up SPF processing.  For
example they sometimes put multiple Received-SPF headers in mail with
schizophrenic results.  You may want to treat them as a special case.

-- 

73,
Ged.