SPF(8) SPF(8)
NAME
spf - evaluate spf records
SYNOPSIS
upas/spf [ -demprv ] [ -n netroot ] domain [ ehlo ip ]
DESCRIPTION
Spf parses SPF records for domain and validates them against
any additional arguments. If there are no additional argu-
ments, the internal representation of the SPF records is
printed. Typically, spf is invoked by smtpd (see smtp(8))
through the /mail/lib/validatesender script. There are four
possible results of an spf invocation: success, no match, no
record found and timeout. Unsuccessful results are indi-
cated by exit codes beginning with fail, none, and deferred,
respectively.
The policy implented is that negatively biased results are
the equivalent to negative match. Thus ~all is treated the
same as -all. The -e flag makes this policy even more dra-
conian, escalating neutral results to failure. This is use-
ful for sites like gmail.com which enumerate all allowed
hosts but end with an inclusive neutral result. This flag
is not recomended as a default for all sites.
Flags are as follows:
-d print DNS queries as performed
-e escalate; treat ?all as -all. The result ~all is
always treated the same as -all.
-m ignore macros
-n netroot
use the IP stack rooted at netroot.
-p print the internal representation of the SPF
records. This is the default if only one argument
is given.
-r trace include and redirect elements.
-v print records resulting in postitive or negative
match or bias.
SEE ALSO
smtp(8),
SPF(8) SPF(8)
/lib/rfc/rfc4408 Sender Policy Framework
/lib/rfc/rfc/4406 SenderID
SOURCE
/sys/src/cmd/upas/spf
BUGS
Exp records are ignored.
Inproperly placed redirect queries are not evaluated last.
Spf uses higher dns query limits than allowed by the RFC as
the authors of the RFC use SPF records that require twice
the allowed number of queries.