#95 SPF validation fail for ipv6

A. Schulze

affected version: 1.3.0.beta*
- compiled with --with-spf and libspf2
- configuration "SPFSelfValidate yes"
- message sent from a ipv6 host
- message not dkim signed
- message pass spf
bug: opendmarc add spf=pass, which should result also in dmarc=pass but dmarc=none


  • Murray S. Kucherawy

    • labels: libspf2 and ipv6 --> ipv6, libspf2
    • assigned_to: Bryan Costales
    • Target: 1.2.0 --> 1.3.0
  • Murray S. Kucherawy

    • summary: 1.3.0.betaX: spf validation fail for ipv6 --> SPF validation fail for ipv6
  • A. Schulze

    A. Schulze - 2014-08-10

    while the main problem was fixed by adding SPF_request_set_ipv6_str after SPF_request_set_ipv4_str I now see messages this headers:

    Authentication-Results: mail.somaf.de; spf=fail smtp.helo=

    looks like the helo check fail on ipv6

  • Murray S. Kucherawy

    • assigned_to: Bryan Costales --> nobody
  • Michiel Hazelhof

    This bug should really be fixed as IPv6 is becoming more and more mainstream (especially among servers). Currently no IPv6 records are matched (and always result in failure).

    Example dns config of external server which fails even though the mail was sent from a correct IPv6 address):
    spf record: "v=spf1 mx -all"
    mx record: "smtp.<domain>" 10
    mx record: "fallback.<domain>" 20

    Both mx records point to an A and AAAA record.

  • Juri Haberland

    Juri Haberland - 2016-10-13

    With the attached patch (which is exactly what Andreas mentioned three comments above) it works for me - all variants: mailfrom and helo with IPv4 and IPv6.

    Mind you: it is easy to mess up the ./configure call: The code silently falls back to using the broken internal SPF code if it cannot find spf2/spf.h. So it is essential to add "--with-spf --with-spf2-include=/usr/include/spf2 --with-spf2-lib=/usr/lib" to the ./configure call (or whereever your copy of the libspf2 and spf.h is located).

    To check if really libspf2 is used, you can use strings /usr/sbin/opendmarc | grep spf2. If this returns nothing, you are using the broken internal SPF code, else it returns opendmarc_spf2_test.

  • Murray S. Kucherawy

    Strangely I missed this one because there's already a reference to "Bug #95" in the git log, which has nothing to do with this, but it made me think this one was done.

    Applied now.


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks