starred/CIPP
1
0
Fork 0
mirror of https://github.com/KelvinTegelaar/CIPP.git synced 2026-04-25 08:16:01 +03:00
Code Issues 20 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #1340] SPF Details Falsely Reporting Failure on Domain #738

New issue
Closed
opened 2026-03-02 12:44:48 +03:00 by kerem · 9 comments
kerem commented 2026-03-02 12:44:48 +03:00
Owner
Copy link

Originally created by @ErlachSupport on GitHub (Jan 26, 2023).
Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/1340

Description

One of my tenants is showing an error when doing an SPF check on their domain. When I looked into the SPF details, it showed it was expecting the default O365 SPF needed to be included at the beginning of the record despite existing near the end of the current record. I've moved the order and placed the O365 include statement near the front of the record. This resolved the SPF check error.

I am not sure if the SPF logic is meant to only check a certain number of statements before assuming the spf.protection.outlook.com record is missing. Scanners such as the MX Toolbox SPF checker do not show an error with the include placed at the end of the record. Attached a copy of the SPF details to show what is happening. Is this expected behavior?

Snag_341c57e

Environment data

Self-hosted in Azure using pay-as-you-go plan. Frontend version: 2.20.1. Backend version: 2.9.2. We are managing 75 tenants with 110 domains.
Originally created by @ErlachSupport on GitHub (Jan 26, 2023). Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/1340 ### Description One of my tenants is showing an error when doing an SPF check on their domain. When I looked into the SPF details, it showed it was expecting the default O365 SPF needed to be included at the beginning of the record despite existing near the end of the current record. I've moved the order and placed the O365 include statement near the front of the record. This resolved the SPF check error. I am not sure if the SPF logic is meant to only check a certain number of statements before assuming the spf.protection.outlook.com record is missing. Scanners such as the MX Toolbox SPF checker do not show an error with the include placed at the end of the record. Attached a copy of the SPF details to show what is happening. Is this expected behavior? ![Snag_341c57e](https://user-images.githubusercontent.com/74732781/214911799-6a89641c-f6bd-4e39-b1bc-9a5075e4b372.png) ### Environment data ```PowerShell Self-hosted in Azure using pay-as-you-go plan. Frontend version: 2.20.1. Backend version: 2.9.2. We are managing 75 tenants with 110 domains. ```
kerem commented 2026-03-02 12:44:49 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Jan 26, 2023):

Thank you for creating a bug. Please make sure your bug is indeed a unique case by checking current and past issues, and reading the complete documentation at https://kelvintegelaar.github.io/CIPP
If your bug is a known documentation issue, it will be closed without notice by a contributor. To confirm that this is not a bug found in the documentation, please copy and paste the following comment: "I confirm that I have checked the documentation thoroughly and believe this to be an actual bug.".

Without confirming, your report will be closed in 24 hours. If you'd like this bug to be assigned to you, please comment "I would like to work on this please!".

<!-- gh-comment-id:1405397931 --> @github-actions[bot] commented on GitHub (Jan 26, 2023): Thank you for creating a bug. Please make sure your bug is indeed a unique case by checking current and past issues, and reading the complete documentation at https://kelvintegelaar.github.io/CIPP If your bug is a known documentation issue, it will be closed without notice by a contributor. To confirm that this is not a bug found in the documentation, please copy and paste the following comment: "I confirm that I have checked the documentation thoroughly and believe this to be an actual bug.". Without confirming, your report will be closed in 24 hours. If you'd like this bug to be assigned to you, please comment "I would like to work on this please!".
kerem commented 2026-03-02 12:44:49 +03:00
Author
Owner
Copy link

@JohnDuprey commented on GitHub (Jan 26, 2023):

That certainly sounds like a bug. If you're on Discord, send me a PM with some details so I can look into it.

<!-- gh-comment-id:1405411674 --> @JohnDuprey commented on GitHub (Jan 26, 2023): That certainly sounds like a bug. If you're on Discord, send me a PM with some details so I can look into it.
kerem commented 2026-03-02 12:44:49 +03:00
Author
Owner
Copy link

@JohnDuprey commented on GitHub (Jan 26, 2023):

Disregard, it's one of your Barracuda MX lookups. One or both of them do not resolve anything and are causing an exception that breaks the SPF check. I've added some additional warnings for that.

<!-- gh-comment-id:1405537947 --> @JohnDuprey commented on GitHub (Jan 26, 2023): Disregard, it's one of your Barracuda MX lookups. One or both of them do not resolve anything and are causing an exception that breaks the SPF check. I've added some additional warnings for that.
kerem commented 2026-03-02 12:44:49 +03:00
Author
Owner
Copy link

@JohnDuprey commented on GitHub (Jan 26, 2023):

@ErlachSupport try to test the SPF record against The Kitterman SPF tool, it should report SPF ambiguous if my hunch is correct. https://www.kitterman.com/spf/validate.html

Example:
The explanation returned was, SPF Ambiguity Warning: No MX records found for mx mechanism

<!-- gh-comment-id:1405630981 --> @JohnDuprey commented on GitHub (Jan 26, 2023): @ErlachSupport try to test the SPF record against The Kitterman SPF tool, it should report SPF ambiguous if my hunch is correct. https://www.kitterman.com/spf/validate.html Example: ```The explanation returned was, SPF Ambiguity Warning: No MX records found for mx mechanism```
kerem commented 2026-03-02 12:44:49 +03:00
Author
Owner
Copy link

@ErlachSupport commented on GitHub (Jan 26, 2023):

John, thank you for taking a look so quickly! I tested the record against the tool but it looks like it is coming back clean:

evaluating...
SPF record passed validation test with pySPF (Python SPF library)!

<!-- gh-comment-id:1405642517 --> @ErlachSupport commented on GitHub (Jan 26, 2023): John, thank you for taking a look so quickly! I tested the record against the tool but it looks like it is coming back clean: evaluating... SPF record passed validation test with pySPF (Python SPF library)!
kerem commented 2026-03-02 12:44:49 +03:00
Author
Owner
Copy link

@ErlachSupport commented on GitHub (Jan 26, 2023):

I confirm that I have checked the documentation thoroughly and believe this to be an actual bug.

<!-- gh-comment-id:1405664507 --> @ErlachSupport commented on GitHub (Jan 26, 2023): I confirm that I have checked the documentation thoroughly and believe this to be an actual bug.
kerem commented 2026-03-02 12:44:50 +03:00
Author
Owner
Copy link

@JohnDuprey commented on GitHub (Jan 26, 2023):

I still think it's a bug with the MX parsing - I'd like to see the record for that domain to confirm that it's fixed though. Happy to chat on Discord so you aren't publicly posting it.

<!-- gh-comment-id:1405675744 --> @JohnDuprey commented on GitHub (Jan 26, 2023): I still think it's a bug with the MX parsing - I'd like to see the record for that domain to confirm that it's fixed though. Happy to chat on Discord so you aren't publicly posting it.
kerem commented 2026-03-02 12:44:50 +03:00
Author
Owner
Copy link

@ErlachSupport commented on GitHub (Jan 26, 2023):

@johnduprey I've send a message via Discord. Thank you for digging into this!

<!-- gh-comment-id:1405692030 --> @ErlachSupport commented on GitHub (Jan 26, 2023): @johnduprey I've send a message via Discord. Thank you for digging into this!
kerem commented 2026-03-02 12:44:50 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Feb 5, 2023):

This issue is stale because it has been open 10 days with no activity. We will close this issue soon. If you want this feature implemented you can contribute it. See: https://cipp.app/GettingStarted/Contributions/ . Please notify the team if you are working on this yourself.

<!-- gh-comment-id:1416901132 --> @github-actions[bot] commented on GitHub (Feb 5, 2023): This issue is stale because it has been open 10 days with no activity. We will close this issue soon. If you want this feature implemented you can contribute it. See: https://cipp.app/GettingStarted/Contributions/ . Please notify the team if you are working on this yourself.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
docs
dev
dependabot/npm_and_yarn/dev/uiw/react-json-view-2.0.0-alpha.42
dependabot/npm_and_yarn/dev/tanstack/react-query-persist-client-5.96.2
dependabot/npm_and_yarn/dev/mui-tiptap-1.30.0
dependabot/npm_and_yarn/dev/tanstack/react-query-devtools-5.96.2
dependabot/npm_and_yarn/dev/recharts-3.8.1
dependabot/github_actions/dev/actions/setup-node-6.4.0
copilot/add-alert-for-report-only-ca
release/beta
release/nightly
docs-maintenance
v10.4.0
v10.3.0
v10.2.0
v10.1.0
v10.0.0
v8.8.0
v8.7.0
v8.6.0
v8.5.0
v8.4.0
v8.3.0
v8.2.0
v8.1.0
v8.0.0
v7.5.0
v7.4.0
v7.3.0
v7.2.0
v7.1.0
v7.0.1
v6.4.0
v6.3.0
v6.2.0
v6.1.0
v6.0.0
v5.9.0
v5.8.5
v5.8.0
v5.7.0
v5.6.0
v5.5.0
v5.4.0
v5.3.0
v5.2.0
v5.1.0
v5.0.0
v4.9.0
v4.8.0
v4.7.0
v.4.6.0
v4.5.0
v4.4.0
v4.3.0
v4.2.0
v4.1.0
v4.0.0
v3.8.0
v3.7.0
v3.6.0
v3.5.0
v3.4.0
v3.3.0
v3.2.0
v3.1.0
v3.0.0
v2.20.0
v2.19.0
v2.18.0
v2.17.0
v2.16.0
v2.15.0
v2.13.0
v2.12.0
v2.11.2
v2.1.11.0
v.2.10.0
v2.9.0
v2.8.0
v2.7.0
v2.6.0
v2.5.5
v2.5.0
v2.4.0
v.2.3.0
v2.2.0
v2.1.2
v2.1.1
v2.1.0
v2.0.1
2.0.0
v1.5.1
v1.5.0
v1.4.3
v1.4.2
v1.4.0
v1.3.0
v1.2.1
v1.2.0
1.1.0
release
Labels
Clear labels   
API

   
Feature

   
NotABug

   
NotABug

   
Planned

   
Sponsor Priority

   
Sponsor Priority

   
bug

   
documentation

   
duplicate

   
enhancement

   
needs more info

   
no-activity

   
no-priority

   
not-assigned

   
pull-request

Mirrored from GitHub Pull Request

  
react-conversion

   
react-conversion

   
roadmap

   
security

   
stale

   
unconfirmed-by-user

   
unconfirmed-by-user

   
wontfix
No labels
API
Feature
NotABug
NotABug
Planned
Sponsor Priority
Sponsor Priority
bug
documentation
duplicate
enhancement
needs more info
no-activity
no-priority
not-assigned
pull-request
react-conversion
react-conversion
roadmap
security
stale
unconfirmed-by-user
unconfirmed-by-user
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/CIPP#738
No description provided.