MDaemon Technologies, Ltd.

Johan

11/22/23, 12:45 PM

Hi,

Security gateway 9.5.1 SPF fails an ipaddress that should be allowed I think.

kundcenter@gotamedia.se sends from ip 80.76.153.145 and according to their SPF records it should be allowed but

SG fails it.

See below:

Wed 2023-11-22 18:47:00: Performing SPF lookup (gotamedia.se / 80.76.153.145)
Wed 2023-11-22 18:47:00: * Policy: v=spf1 include:spf0.gotamedia.se include:spf1.gotamedia.se include:spf2.gotamedia.se -all
Wed 2023-11-22 18:47:00: * Evaluating include:spf0.gotamedia.se: performing lookup
Wed 2023-11-22 18:47:00: * Policy: v=spf1 ip4:192.176.163.15 ip4:79.136.22.194 ip4:79.136.22.195 ip4:212.247.172.146 ip4:212.247.172.147 include:_spf.google.com include:spf.protection.outlook.com -all
Wed 2023-11-22 18:47:00: * Evaluating ip4:192.176.163.15: no match
Wed 2023-11-22 18:47:00: * Evaluating ip4:79.136.22.194: no match
Wed 2023-11-22 18:47:00: * Evaluating ip4:79.136.22.195: no match
Wed 2023-11-22 18:47:00: * Evaluating ip4:212.247.172.146: no match
Wed 2023-11-22 18:47:00: * Evaluating ip4:212.247.172.147: no match
Wed 2023-11-22 18:47:00: * Evaluating include:_spf.google.com: performing lookup
Wed 2023-11-22 18:47:00: * Policy: v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all
Wed 2023-11-22 18:47:00: * Evaluating include:_netblocks.google.com: performing lookup
Wed 2023-11-22 18:47:00: * Policy: v=spf1 ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all
Wed 2023-11-22 18:47:00: * Evaluating ip4:35.190.247.0/24: no match
Wed 2023-11-22 18:47:00: * Evaluating ip4:64.233.160.0/19: no match
Wed 2023-11-22 18:47:00: * Evaluating ip4:66.102.0.0/20: no match
Wed 2023-11-22 18:47:00: * Evaluating ip4:66.249.80.0/20: no match
Wed 2023-11-22 18:47:00: * Evaluating ip4:72.14.192.0/18: no match
Wed 2023-11-22 18:47:00: * Evaluating ip4:74.125.0.0/16: no match
Wed 2023-11-22 18:47:00: * Evaluating ip4:108.177.8.0/21: no match
Wed 2023-11-22 18:47:00: * Evaluating ip4:173.194.0.0/16: no match
Wed 2023-11-22 18:47:00: * Evaluating ip4:209.85.128.0/17: no match
Wed 2023-11-22 18:47:00: * Evaluating ip4:216.58.192.0/19: no match
Wed 2023-11-22 18:47:00: * Evaluating ip4:216.239.32.0/19: no match
Wed 2023-11-22 18:47:00: * Evaluating ~all: match
Wed 2023-11-22 18:47:00: * Evaluating include:_netblocks.google.com: no match
Wed 2023-11-22 18:47:00: * Evaluating include:_netblocks2.google.com: performing lookup
Wed 2023-11-22 18:47:00: * Policy: v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all
Wed 2023-11-22 18:47:00: * Evaluating ip6:2001:4860:4000::/36: no match
Wed 2023-11-22 18:47:00: * Evaluating ip6:2404:6800:4000::/36: no match
Wed 2023-11-22 18:47:00: * Evaluating ip6:2607:f8b0:4000::/36: no match
Wed 2023-11-22 18:47:00: * Evaluating ip6:2800:3f0:4000::/36: no match
Wed 2023-11-22 18:47:00: * Evaluating ip6:2a00:1450:4000::/36: no match
Wed 2023-11-22 18:47:00: * Evaluating ip6:2c0f:fb50:4000::/36: no match
Wed 2023-11-22 18:47:00: * Evaluating ~all: match
Wed 2023-11-22 18:47:00: * Evaluating include:_netblocks2.google.com: no match
Wed 2023-11-22 18:47:00: * Evaluating include:_netblocks3.google.com: performing lookup
Wed 2023-11-22 18:47:00: * Policy: v=spf1 ip4:172.217.0.0/19 ip4:172.217.32.0/20 ip4:172.217.128.0/19 ip4:172.217.160.0/20 ip4:172.217.192.0/19 ip4:172.253.56.0/21 ip4:172.253.112.0/20 ip4:108.177.96.0/19 ip4:35.191.0.0/16 ip4:130.211.0.0/22 ~all
Wed 2023-11-22 18:47:00: * Evaluating ip4:172.217.0.0/19: no match
Wed 2023-11-22 18:47:00: * Evaluating ip4:172.217.32.0/20: no match
Wed 2023-11-22 18:47:00: * Evaluating ip4:172.217.128.0/19: no match
Wed 2023-11-22 18:47:00: * Evaluating ip4:172.217.160.0/20: no match
Wed 2023-11-22 18:47:00: * Evaluating ip4:172.217.192.0/19: no match
Wed 2023-11-22 18:47:00: * Evaluating ip4:172.253.56.0/21: no match
Wed 2023-11-22 18:47:00: * Evaluating ip4:172.253.112.0/20: no match
Wed 2023-11-22 18:47:00: * Evaluating ip4:108.177.96.0/19: no match
Wed 2023-11-22 18:47:00: * Evaluating ip4:35.191.0.0/16: no match
Wed 2023-11-22 18:47:00: * Evaluating ip4:130.211.0.0/22: no match
Wed 2023-11-22 18:47:00: * Evaluating ~all: match
Wed 2023-11-22 18:47:00: * Evaluating include:_netblocks3.google.com: no match
Wed 2023-11-22 18:47:00: * Evaluating ~all: match
Wed 2023-11-22 18:47:00: * Evaluating include:_spf.google.com: no match
Wed 2023-11-22 18:47:00: * Evaluating include:spf.protection.outlook.com: performing lookup
Wed 2023-11-22 18:47:00: * Policy: v=spf1 ip4:40.92.0.0/15 ip4:40.107.0.0/16 ip4:52.100.0.0/14 ip4:104.47.0.0/17 ip6:2a01:111:f400::/48 ip6:2a01:111:f403::/49 ip6:2a01:111:f403:8000::/50 ip6:2a01:111:f403:c000::/51 ip6:2a01:111:f403:f000::/52 -all
Wed 2023-11-22 18:47:00: * Evaluating ip4:40.92.0.0/15: no match
Wed 2023-11-22 18:47:00: * Evaluating ip4:40.107.0.0/16: no match
Wed 2023-11-22 18:47:00: * Evaluating ip4:52.100.0.0/14: no match
Wed 2023-11-22 18:47:00: * Evaluating ip4:104.47.0.0/17: no match
Wed 2023-11-22 18:47:00: * Evaluating ip6:2a01:111:f400::/48: no match
Wed 2023-11-22 18:47:00: * Evaluating ip6:2a01:111:f403::/49: no match
Wed 2023-11-22 18:47:00: * Evaluating ip6:2a01:111:f403:8000::/50: no match
Wed 2023-11-22 18:47:00: * Evaluating ip6:2a01:111:f403:c000::/51: no match
Wed 2023-11-22 18:47:00: * Evaluating ip6:2a01:111:f403:f000::/52: no match
Wed 2023-11-22 18:47:00: * Evaluating -all: match
Wed 2023-11-22 18:47:00: * Evaluating include:spf.protection.outlook.com: no match
Wed 2023-11-22 18:47:00: * Evaluating -all: match
Wed 2023-11-22 18:47:00: * Evaluating include:spf0.gotamedia.se: no match
Wed 2023-11-22 18:47:00: * Evaluating include:spf1.gotamedia.se: performing lookup
Wed 2023-11-22 18:47:00: * Evaluating include:spf1.gotamedia.se: no match; no SPF record in DNS
Wed 2023-11-22 18:47:00: * Evaluating include:spf2.gotamedia.se: performing lookup
Wed 2023-11-22 18:47:00: * Evaluating include:spf2.gotamedia.se: no match; no SPF record in DNS
Wed 2023-11-22 18:47:00: * Evaluating -all: match
Wed 2023-11-22 18:47:00: * Result: fail

I have tested this with the site: https://www.kitterman.com/spf/validate.html

With this result:

Mail sent from this IP address: 80.76.153.145
Mail from (Sender): kundcenter@gotamedia.se
Mail checked using this SPF policy: v=spf1 include:spf0.gotamedia.se include:spf1.gotamedia.se include:spf2.gotamedia.se -all
Results - PASS sender SPF authorized

I have also checked that the DNS server used can lookup all SPF records.

Kind Regards

Johan

4
Posts

78
Views

A

Arron Staff

11/27/23, 12:57 PM

I believe its because of how the TXT record for spf1.gotamedia.se is created. When I do a lookup for the record using NSLookup, it looks like this:

text =

"v=spf1"
" ip4:172.29.1.201"
" ip4:81.201.212.53"
" ip4:80.76.150.36/31"
" ip4:64.93.79.192/26"
" ip4:54.246.186.165/32"
" ip4:54.214.28.131"
" ip4:208.97.136.67"
" ip4:52.26.5.50"
" ip4:44.232.3.192"
" ip4:23.21.109.197"
" ip4:23.21.109.212"
" ip4:147.160.167.0/26"
" ip4:87.237.214.176"
" ip4:81.201.216.52"
" ip4:82.96.59.34"
" ip4:80.76.150.36"
" ip4:80.76.150.37"
" ip4:80.76.154.194"
" ip4:80.76.153.145"
" ip4:176.9.183.128/27"
" -all"

While not common, it is not invalid, but SG is expecting the first line to contain at least "v=spf1 ". Notice the space at the end. I'll submit a bug on it for the developers to review.

Matthew Staff

11/27/23, 1:00 PM

@Johan this will be fixed in the next release.

[27436] fix to Multi-line SPF record fails lookup when first character in second line after v=spf1 contains a space

J

Johan

11/27/23, 1:15 PM

Thanks Arron and Matthew!

Kind Regard

Johan

SG 9.5.1 SPF fails ip adress that should be allowed