draft-schlitt-spf-classic-02.txt

来自「非常好的dns解析软件」· 文本 代码 · 共 1,763 行 · 第 1/5 页

   under the domain to exist and queries against arbitrary names will
   never return RCODE 3 (Name Error).


















Wong & Schlitt          Expires December 8, 2005               [Page 13]

Internet-Draft        Sender Policy Framework (SPF)            June 2005


4.  The check_host() Function

   The check_host() function fetches SPF records, parses them, and
   interprets them to determine whether a particular host is or is not
   permitted to send mail with a given identity.  Mail receivers that
   perform this check MUST correctly evaluate the check_host() function
   as described here.

   Implementations MAY use a different algorithm than the canonical
   algorithm defined here, so long as the results are the same in all
   cases.

4.1.  Arguments

   The function check_host() takes these arguments:

   <ip>     - the IP address of the SMTP client that is emitting the
            mail, either IPv4 or IPv6.

   <domain> - the domain that provides the sought-after authorization
            information; initially the domain portion of the "MAIL FROM"
            or "HELO" identity.

   <sender> - the "MAIL FROM" or "HELO" identity.

   The domain portion of <sender> will usually be the same as the
   <domain> argument when check_host() is initially evaluated.  However,
   this will generally not be true for recursive evaluations (see
   Section 5.2 below).

   Actual implementations of the check_host() function may need
   additional arguments.

4.2.  Results

   The function check_host() can return one of several results described
   in Section 2.5.  Based on the result, the action to be taken is
   determined by the local policies of the receiver.

4.3.  Initial Processing

   If the <domain> is malformed (label longer than 63 characters, zero
   length label not at the end, etc.), is not a fully qualified domain
   name, or if the DNS lookup returns "domain does not exist" (RCODE 3),
   check_host() immediately returns the result "None".

   If the <sender> has no localpart, substitute the string "postmaster"
   for the localpart.



Wong & Schlitt          Expires December 8, 2005               [Page 14]

Internet-Draft        Sender Policy Framework (SPF)            June 2005


4.4.  Record Lookup

   In accordance with how the records are published, see Section 3.1
   above, a DNS query needs to be made for the <domain> name, querying
   for either RR type TXT, SPF, or both.  If both SPF and TXT RRs are
   looked up, the queries MAY be done in parallel.

   If the DNS lookup returns a server failure (RCODE 2), or other error
   (RCODE other than 0 or 3), or the query times out, check_host() exits
   immediately with the result "TempError".

4.5.  Selecting Records

   Records begin with a version section:

   record           = version terms *SP
   version          = "v=spf1"

   Starting with the set of records that were returned by the lookup,
   record selection proceeds in three steps:

   1.  Records that do not begin with a version section of exactly
       "v=spf1" are discarded.  Note that the version section is
       terminated either by a SP character or the end of the record.  A
       record with a version section of "v=spf10" does not match and
       must be discarded.

   2.  If there are both SPF and TXT records in the set and if they are
       not all identical, return a "PermError".

   3.  If any records of type SPF are in the set, then all records of
       type TXT are discarded.

   After the above steps, there should be exactly one record remaining
   and evaluation can proceed.  If there are two or more records
   remaining, then check_host() exits immediately with the result of
   "PermError".

   If no matching records are returned, an SPF client MUST assume that
   the domain makes no SPF declarations.  SPF processing MUST stop and
   return "None".

4.6.  Record Evaluation

   After one SPF record has been selected, the check_host() function
   parses and interprets it to find a result for the current test.  If
   there are any syntax errors, check_host() returns immediately with
   the result "PermError".



Wong & Schlitt          Expires December 8, 2005               [Page 15]

Internet-Draft        Sender Policy Framework (SPF)            June 2005


   Implementations MAY choose to parse the entire record first and
   return "PermError" if the record is not syntactically well formed.
   However, in all cases, any syntax errors anywhere in the record MUST
   be detected.

4.6.1.  Term Evaluation

   There are two types of terms: mechanisms and modifiers.  A record
   contains an ordered list of these as specified in the following ABNF.

   terms            = *( 1*SP ( directive / modifier ) )

   directive        = [ qualifier ] mechanism
   qualifier        = "+" / "-" / "?" / "~"
   mechanism        = ( all / include
                      / A / MX / PTR / IP4 / IP6 / exists )
   modifier         = redirect / explanation / unknown-modifier
   unknown-modifier = name "=" macro-string

   name             = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." )

   Most mechanisms allow a ":" or "/" character after the name.

   Modifiers always contain an equals ('=') character immediately after
   the name, and before any ":" or "/" characters that may be part of
   the macro-string.

   Terms that do not contain any of "=", ":" or "/" are mechanisms, as
   defined in Section 5.

   As per the definition of the ABNF notation in [I-D.crocker-abnf-
   rfc2234bis], mechanism and modifier names are case-insensitive.

4.6.2.  Mechanisms

   Each mechanism is considered in turn from left to right.  If there
   are no more mechanisms, the result is specified in Section 4.7.

   When a mechanism is evaluated, one of three things can happen: it can
   match, it can not match, or it can throw an exception.

   If it matches, processing ends and the qualifier value is returned as
   the result of that record.  If it does not match, processing
   continues with the next mechanism.  If it throws an exception,
   mechanism processing ends and the exception value is returned.

   The possible qualifiers, and the results they return are:




Wong & Schlitt          Expires December 8, 2005               [Page 16]

Internet-Draft        Sender Policy Framework (SPF)            June 2005


      "+" Pass
      "-" Fail
      "~" SoftFail
      "?" Neutral

   The qualifier is optional and defaults to "+".

   When a mechanism matches and the qualifier is "-", then a "Fail"
   result is returned and the explanation string is computed as
   described in Section 6.2.

   The specific mechanisms are described in Section 5.

4.6.3.  Modifiers

   Modifiers are not mechanisms: they do not return match or not-match.
   Instead they provide additional information.  While modifiers do not
   directly affect the evaluation of the record, the "redirect" modifier
   has an effect after all the mechanisms have been evaluated.

4.7.  Default Result

   If none of the mechanisms match and there is no "redirect" modifier,
   then the check_host() returns a result of "Neutral", just as if
   "?all" were specified as the last directive.  If there is a
   "redirect" modifier, check_host() proceeds as defined in Section 6.1.

   Note that records SHOULD always either use a "redirect" modifier or
   an "all" mechanism to explicitly terminate processing.

   For example:

      v=spf1 +mx -all
   or
      v=spf1 +mx redirect=_spf.example.com

4.8.  Domain Specification

   Several of these mechanisms and modifiers have a <domain-spec>
   section.  The <domain-spec> string is macro expanded (see Section 8).
   The resulting string is the common presentation form of a fully-
   qualified DNS name: a series of labels separated by periods.  This
   domain is called the <target-name> in the rest of this document.

   Note: The result of the macro expansion is not subject to any further
   escaping.  Hence, this facility cannot produce all characters that
   are legal in a DNS label (e.g. the control characters).  However,
   this facility is powerful enough to express legal host names, and



Wong & Schlitt          Expires December 8, 2005               [Page 17]

Internet-Draft        Sender Policy Framework (SPF)            June 2005


   common utility labels (such as "_spf") that are used in DNS.

   For several mechanisms, the <domain-spec> is optional.  If it is not
   provided, the <domain> is used as the <target-name>.















































Wong & Schlitt          Expires December 8, 2005               [Page 18]

Internet-Draft        Sender Policy Framework (SPF)            June 2005


5.  Mechanism Definitions

   This section defines two types of mechanisms.

   Basic mechanisms contribute to the language framework.  They do not
   specify a particular type of authorization scheme.

      all
      include

   Designated sender mechanisms are used to designate a set of <ip>
   addresses as being permitted or not permitted to use the <domain> for
   sending mail.

      a
      mx
      ptr
      ip4
      ip6
      exists

   The following conventions apply to all mechanisms that perform a
   comparison between <ip> and an IP address at any point:

   If no CIDR-length is given in the directive, then <ip> and the IP
   address are compared for equality.

   If a CIDR-length is specified, then only the specified number of
   high-order bits of <ip> and the IP address are compared for equality.

   When any mechanism fetches host addresses to compare with <ip>, when
   <ip> is an IPv4 address, A records are fetched, when <ip> is an IPv6
   address, AAAA records are fetched.  Even if the SMTP connection is
   via IPv6, an IPv4-mapped IPv6 IP address (see [RFC3513] section
   2.5.5) MUST still be considered an IPv4 address.

   Several mechanisms rely on information fetched from DNS.  For these
   DNS queries, except where noted, if the DNS server returns an error
   (RCODE other than 0 or 3) or the query times out, the mechanism
   throws the exception "TempError".  If the server returns "domain does
   not exist" (RCODE 3), then evaluation of the mechanism continues as
   if the server returned no error (RCODE 0) and zero answer records.

5.1.  "all"

   all              = "all"

   The "all" mechanism is a test that always matches.  It is used as the