Sender Policy Framework validation may fail when validating SPF records with multiple Strings

book

Article ID: 161480

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

After enabling Sender Policy Framework (under Sender Authentication on Symantec Messaging Gateway), the SPF validation may fail when the domain's SPF record contains multiple strings separated by double quotes ("). This issue will occur when the string interrpution in domain's SPF record is in the middle of a word (e.g. "v=spf1 string of t" "ext")

Example of domain's SPF record with multiple strings:

symantec.com    text = "v=spf1 include:spf.symantec.com ip4:207.38.45.154 include:spf.messagelabs.com include:spf-ilg.symantec.com i" "nclude:spf-mtv.symantec.com ip4:63.245.193.25 ip4:63.245.197.25 ip4:63.245.201.25 ~all"

 
Example of SPF validation as it appears on the receieved email's header:
 
Authentication-Results: symauth.service.identifier; spf=unknown
 
 
Example of the events shown by Maillog in debug level: 
 
2014 Nov 13 08:21:59 EST (info) ecelerity: [22353] [info]: sms_spf_ctrl.cc-01073: SenderAuth module: Unable to retrieve a PRA.
2014 Nov 13 08:21:59 EST (info) ecelerity: [22353] [info]: sms_spf_ctrl.cc-01074: SenderAuth module: Sender Authentication could not be performed.
.....
2014 Nov 13 08:21:59 EST (debug) ecelerity: [22353] sieve: Original Authentication-Results header value: symauth.service.identifier; spf=unknown
 

Additional information:

 

From: Sender Policy Framework (SPF) RFC 7208 http://tools.ietf.org/html/rfc7208



3.3. Multiple Strings in a Single DNS Record


As defined in [RFC1035], Sections 3.3 and 3.3.14, a single text DNS record can be composed of more than one string. If a published record contains multiple character-strings, then the record MUST be
treated as if those strings are concatenated together without adding  spaces. For example:

IN TXT "v=spf1 .... first" "second string..."

is equivalent to:

IN TXT "v=spf1 .... firstsecond string..."

TXT records containing multiple strings are useful in constructing records that would exceed the 255-octet maximum length of a character-string within a single TXT record.  

Cause

When Messaging Gateway (SMG) attempts to validate a domain whose SPF record contains multiple Strings and the line break is in the middle of a word, the SenderAuth module fail and can’t validate the sender.

Resolution

Symantec is aware of this issue and will solve it as soon as possible. Please subscribe to this document to be automatically notified of any changes.

If you are trying to validate your own domain, please remove the break line if it’s possible.


Applies To

Symantec Messaging Gateway 10.5.2 with SPF validation enabled.