Add specifications for testing SPF and DMARC policies

[marc-vanderwal]

Purpose

This PR introduces three test cases for testing SPF and DMARC policies for the domain under test.

Context

Fixes #995.

Changes

Added three test cases:

• checking SPF for compliance with respect to RFC 7208;
• checking for non-use of the deprecated SPF resource record type;
• checking DMARC for compliance with respect to RFC 7489.

How to test this PR

This is a documentation update. However #1099 should be merged first.

[matsduf]

The proposals do not follow the specification template. Could you rewrite them? You could also check the active PRs for specification updates, e.g. #1098 and #1032.

[marc-vanderwal]

Sure, I will.

I was also unsure about where to add these new test cases. I’ve added them in Zone because that’s where the tests involving MX records are, but they could be in a new category (maybe Email).

[matsduf]

I was also unsure about where to add these new test cases. I’ve added them in Zone because that’s where the tests involving MX records are, but they could be in a new category (maybe Email).

I think Zone is fine. I am not sure that adding a new test level would make it better. Before adding a new level I think we should have a broader discussion about which levels to have and what they should contain.

[marc-vanderwal]

Okay, sticking with Zone, then.

[marc-vanderwal]

The proposals do not follow the specification template. Could you rewrite them? You could also check the active PRs for specification updates, e.g. #1098 and #1032.

Done.

[marc-vanderwal]

I’ve addressed some of your remarks in this iteration, but I haven’t updated the other test cases or acted on the remaining remarks yet. Also, step 14 is probably wrong because the real limits are described in RFC 7208 § 4.6.4 and it’s slightly more complicated than I thought. I’ll rephrase that step later.

[marc-vanderwal]

Overhauled Zone11. Rewrites of Zone12 and Zone13 will come later.

[matsduf]

I have only reviewed Zone11.

[matsduf]

Validation of an SPF policy according to the RFC is quite complex!

[marc-vanderwal]

Yes, validating an SPF policy is indeed a chore (and a tool like Zonemaster cannot necessarily check everything). But I’m doing some research on the use of SPF in the .fr zone and as far as I can see, I’m pretty confident that this test case will catch most errors people make when publishing SPF policies.

[marc-vanderwal]

I think I can simplify this test case quite a bit.

People very rarely make mistakes in the SPF version number. Less than 0,1% of domains in the .fr zone, which our crawler has classified as “not parked”, have TXT records starting with v=spf followed by something else than 1. So such mistakes are not worth testing for.

[matsduf]

People very rarely make mistakes in the SPF version number. Less than 0,1% of domains in the .fr zone, which our crawler has classified as “not parked”, have TXT records starting with v=spf followed by something else than 1. So such mistakes are not worth testing for.

If I understand it correctly, Zone11 will consider such TXT records as non-SPF records. It is hard to say how much errors to look for. There is always a limit.

[matsduf]

This PR is a draft. Are Zone12 and Zone13 ready for review?

[marc-vanderwal]

If I understand it correctly, Zone11 will consider such TXT records as non-SPF records. It is hard to say how much errors to look for. There is always a limit.

That’s right, Zone11 will output Z11_NO_SPF_FOUND.

However it is interesting, I think, to look for TXT records that do contain v=spf1 somewhere in their text. I’ve seen instances of mistakes such as:

• including quotation marks around the SPF policy (which dig would display as … IN TXT "\"v=spf1 …\"");
• copy-pasting the entire resource record in the data field (e.g example. 3600 IN TXT "example. 3600 IN TXT \"v=spf1 …\"").

I haven’t quantified this phenomenon yet but maybe it’s something to do in a separate test case.

This PR is a draft. Are Zone12 and Zone13 ready for review?

I’ve rewritten Zone12 and Zone13 as well based on your review of Zone11, so yes, they are. I even think that this specification is stable/mature enough for me to mark this PR as ready for review.

[matsduf]

However it is interesting, I think, to look for TXT records that do contain v=spf1 somewhere in their text. I’ve seen instances of mistakes such as:

* including quotation marks around the SPF policy (which `dig` would display as `… IN TXT "\"v=spf1 …\""`);

* copy-pasting the entire resource record in the data field (e.g `example. 3600 IN TXT "example. 3600 IN TXT \"v=spf1 …\""`).

I haven’t quantified this phenomenon yet but maybe it’s something to do in a separate test case.

I think it fits into this test case instead of a separate one. The cases are maybe rare, but Zonemaster should also look for rare cases such as responding to queries for SOA but not MX. At least I think it should be simple to create test zones with the odd data in a TXT record. I think that looking for a TXT record that contains v=spf but not being valid SPF would be reasonable. It might not being ERROR, but NOTICE or WARNING.

I’ve rewritten Zone12 and Zone13 as well based on your review of Zone11, so yes, they are. I even think that this specification is stable/mature enough for me to mark this PR as ready for review.

OK, I will dig into Zone12 and Zone13 then.

[marc-vanderwal]

After discussion, I’m going to close this PR in order to split it up into smaller ones.

I also finished conducting some preliminary research on the use of SPF, DKIM and DMARC on the .fr zone and published some results on (Afnic’s blog)[https://www.afnic.fr/en/observatory-and-resources/expert-papers/spf-dkim-and-dmarc-whats-the-situation-with-the-fr-tld/]. Erroneous SPF and DMARC policies are very rare, and I don’t think it’s worth giving detailed feedback on possible errors in SPF and DMARC records unless there is sufficient demand for it, which seems unlikely to me.

Based on that research, I’m therefore going to create new specifications that just focus on checking for SPF, DKIM and DMARC on the zone under test and maybe just conduct a basic syntax check on SPF and DMARC policies (I’ve actually used Mail::SPF and Mail::DMARC to do just that during my research, so that’s going to be an easy thing to implement), raising warnings if there’s an obvious error. All of these will go in separate PRs.