starred/anonaddy

Fork 0

mirror of https://github.com/anonaddy/anonaddy.git synced 2026-04-25 14:15:53 +03:00

[GH-ISSUE #582] complex SPF fails during check/validation #984

New issue

Open

opened 2026-03-14 11:21:50 +03:00 by kerem · 2 comments

kerem commented

2026-03-14 11:21:50 +03:00

Owner

Originally created by @MyUncleSam on GitHub (Jan 14, 2024).
Original GitHub issue: https://github.com/anonaddy/anonaddy/issues/582

Hello,

the SPF validation fails for my SPF records.

There are a lot of ways to configure the SPF settings. In my case I am using the redirection function in almost all my domains. The main reason is, that I want to configure the SPF records in a central place for all my domains which use the same mailservers. So my SPF record looks somthing like v=spf1 redirect=spf.domain.tld which is simply not valid by the current SPF validation.

For me I found a solution to use v=spf1 mx include:spf.domain.tld -all instead of v=spf1 redirect=spf.domain.tld which is more or less the same but a bit ugly in my eyes.

My request would be to have:

a better working SPF parser and validator (no idea if this is possible but I think it would be too complex for this short check)
or a way to set in the config domains which are not checked and always SPF valid

Originally created by @MyUncleSam on GitHub (Jan 14, 2024). Original GitHub issue: https://github.com/anonaddy/anonaddy/issues/582 Hello, the SPF validation fails for my SPF records. There are a lot of ways to configure the SPF settings. In my case I am using the `redirection` function in almost all my domains. The main reason is, that I want to configure the SPF records in a central place for all my domains which use the same mailservers. So my SPF record looks somthing like `v=spf1 redirect=spf.domain.tld` which is simply not valid by the current SPF validation. For me I found a solution to use `v=spf1 mx include:spf.domain.tld -all` instead of `v=spf1 redirect=spf.domain.tld` which is more or less the same but a bit ugly in my eyes. My request would be to have: - a better working SPF parser and validator (no idea if this is possible but I think it would be too complex for this short check) - or a way to set in the config domains which are not checked and always SPF valid

kerem commented

2026-03-14 11:21:56 +03:00

Author

Owner

@luckydonald commented on GitHub (Aug 1, 2025):

This is the current SPF check:

github.com/anonaddy/anonaddy@753ccea6b9/app/Models/Domain.php (L261-L277)

More specifically:

preg_match("/^(v=spf1).*(include:spf\.".config('anonaddy.domain').'|mx).*(-|~)all$/', $r['txt']);

So regarding

better working SPF parser and validator

Pretty sure it can be added there, basically one has to come up with a rule for what is allowed instead.

@MyUncleSam if you can write down what it needs to check in at least english text, someone else can look into writing code for that.

Not knowing a whole lot about spf, I imagine if it contains redirect=spf.domain.tld it would follow along that domain and load the DNS records of that instead, and then apply the previous rule to that domain?

@luckydonald commented on GitHub (Aug 1, 2025): This is the current SPF check: https://github.com/anonaddy/anonaddy/blob/753ccea6b955d6e0fe0fefe1dfd018fc296c78f3/app/Models/Domain.php#L261-L277 More specifically: ```php preg_match("/^(v=spf1).*(include:spf\.".config('anonaddy.domain').'|mx).*(-|~)all$/', $r['txt']); ``` So regarding > better working SPF parser and validator Pretty sure it can be added there, basically one has to come up with a rule for what is allowed instead. @MyUncleSam if you can write down what it needs to check in at least english text, someone else can look into writing code for that. Not knowing a whole lot about spf, I imagine if it contains `redirect=spf.domain.tld` it would follow along that domain and load the DNS records of that instead, and then apply the previous rule to that domain?

kerem commented

2026-03-14 11:22:01 +03:00

Author

Owner

@MyUncleSam commented on GitHub (Aug 2, 2025):

Thx for the feedback @luckydonald I thought more about using a real SPF library instead of doing regex magic. (I also switched from redirect to include since this post)

The simple reason is, that managing SPF record with an include is much easier as soon as you have multiple domains than managing each one in their own spf records. One example is gmail.com which are even using a chain of includes to manage spf records. Checking this via regex is not really working well.

So I thought using a PHP library doing the more or less complex SPF checks could lead into better checking of domain spf records.

The PHP libraries I found (just as an example):

@MyUncleSam commented on GitHub (Aug 2, 2025): Thx for the feedback @luckydonald I thought more about using a real SPF library instead of doing regex magic. (I also switched from redirect to include since this post) The simple reason is, that managing SPF record with an include is much easier as soon as you have multiple domains than managing each one in their own spf records. One example is gmail.com which are even using a chain of includes to manage spf records. Checking this via regex is not really working well. So I thought using a PHP library doing the more or less complex SPF checks could lead into better checking of domain spf records. The PHP libraries I found (just as an example): - https://github.com/Mika56/PHP-SPF-Check - https://github.com/mlocati/spf-lib

No labels

bug

pull-request

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/anonaddy#984

No description provided.

Rows
Columns