DESCRIPTION
SPF does email sender validation. For more information about SPF, please see http://www.openspf.org/
One incompatible change was introduced in version 1.7. Prior to version 1.7, connections from a local IP address (127...) would always return a Pass result. The special case was eliminated. Programs calling pySPF should not do SPF checks on locally submitted mail.
This SPF client is intended to be installed on the border MTA, checking if incoming SMTP clients are permitted to forward mail. The SPF check should be done during the MAIL FROM:<...> command.
USAGE
There are multiple ways to use this package:
To check an incoming mail request:
% pyspf [-v] {ip} {sender} {helo}
% pyspf 69.55.226.139 [email protected] mx1.wayforward.net
To test an SPF record:
% pyspf [-v] "v=spf1..." {ip} {sender} {helo}
% pyspf "v=spf1 +mx +ip4:10.0.0.1 -all" 10.0.0.1 [email protected] a
To fetch an SPF record:
% pyspf {domain}
% pyspf wayforward.net
To test this script (and to output this usage message):
% pyspf
For instance, during an SMTP exchange from client 69.55.226.139::
S: 220 mail.example.com ESMTP Postfix
C: EHLO mx1.wayforward.net
S: 250-mail.example.com
S: ...
S: 250 8BITMIME
C: MAIL FROM:<[email protected]>
Then the following command line would check if this is a valid sender:
% pyspf 69.55.226.139 [email protected] mx1.wayforward.net
('pass', 250, 'sender SPF authorized')
Command line calls return RFC 4408 result codes, i.e. 'pass', 'fail', 'neutral', 'softfail, 'permerror', or 'temperror'.
RFC 4408/7208 TEST SUITE
The package also installs the python-spf test driver and the current (as of the release date) YAML (Yet Another Markup Language) RFC 4408/7208 test definitions. As errors or improvements in the test definitions are approved, they are available from:
<http://www.openspf.net/Test_Suite>
To run the test suite, change the directory the test suite is installed in:
$ cd /usr/share/doc/python-spf
Uncompress testspf.py.gz, testspf.py.gz, and rfc4408-tests.yml.gz
and then run testspf.py:
$ python testspf.py (also works with python3)
The test suite supports multiple allowed results with a warning for a non-preferred result. For the current version, the expected results are:
WARN: spfonly in rfc4408-tests.yml, 4.4/1: fail preferred to none WARN: invalid-domain-long in rfc4408-tests.yml, ['4.3/1', '5/10/3']: permerror preferred to fail WARN: txttimeout in rfc4408-tests.yml, 4.4/1: fail preferred to temperror WARN: invalid-domain-empty-label in rfc4408-tests.yml, ['4.3/1', '5/10/3']: permerror preferred to fail WARN: exists-dnserr in rfc4408-tests.yml, 5.7/3: fail preferred to temperror WARN: spfoverride in rfc4408-tests.yml, 4.5/5: pass preferred to fail WARN: multitxt1 in rfc4408-tests.yml, 4.5/5: pass preferred to permerror WARN: mx-limit in rfc4408-tests.yml, 10.1/7: neutral preferred to permerror WARN: multispf2 in rfc4408-tests.yml, 4.5/6: permerror preferred to pass WARN: invalid-domain-long-via-macro in rfc4408-tests.yml, ['4.3/1', '5/10/3']: permerror preferred to fail
Due to the resolution of a number of ambiguities in the SPF specification in RFC 7208, there should be no warnings for the RFC 7208 portions of the test suite.