Sender Policy Framework (SPF)

Standards

  • RFC 7372Email Authentication Status Codes; M Kucherawy; IETF; 2014-09.
  • RFC 7208Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1; Kitterman (Kitterman); IETF; 2014-04.
  • RFC 4408Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1; M. Wong, W. Schilitt; IETF; 2006-04

Argot

  • ADministrative Management Domain (ADMD)
  • Sender Policy Framework (SPF)

sendmail, still, intermittently, gives “host map: lookup ($domain): deferred”

Previously

sendmail gives “host map: lookup ($domain): deferred”, 2015-03-04.

Continuing

And yet it continues to happen intermittently

  • Has something to do with IPv6 vs IPv4
  • Once sendmail is in that state, it never recovers
    i.e.

    • the queue never clears
    • its growth is unbounded
  • the only remedies are manual intervention
    • sendmail -q (manually)
    • systemctl restart sendmail (manually)

Debug

$ sendmail -v -d8.32 -qIMessageID

Actualities

$ sudo sendmail -v -d8.32 -qIt85HF6hG025984
Running /var/spool/mqueue/t85HF6hG025984 (sequence 1 of 1)
dns_getcanonname(sender.example.com, trymx=1)
dns_getcanonname: trying sender.example.com. (AAAA)
	NO: errno=0, h_errno=4
dns_getcanonname: trying sender.example.com. (A)
	YES
dns_getcanonname: sender.example.com
dns_getcanonname(emerson.baker.org, trymx=1)
dns_getcanonname: trying emerson.baker.org. (AAAA)
	NO: errno=0, h_errno=4
dns_getcanonname: trying emerson.baker.org. (A)
	NO: errno=0, h_errno=4
dns_getcanonname: trying emerson.baker.org. (MX)
	YES
dns_getcanonname: emerson.baker.org
getmxrr(smart.mail.example.emerson.baker.org, droplocalhost=1)
getmxrr: res_search(smart.mail.example.emerson.baker.org) failed (errno=0, h_errno=4)
dns_getcanonname(smart.mail.example.emerson.baker.org, trymx=0)
dns_getcanonname: trying smart.mail.example.emerson.baker.org. (AAAA)
	NO: errno=0, h_errno=4
dns_getcanonname: trying smart.mail.example.emerson.baker.org. (A)
	YES
dns_getcanonname: smart.mail.example.emerson.baker.org
... Connecting to smart.mail.example.emerson.baker.org. via relay...
220 mta.emerson.baker.org ESMTP Sendmail 8.14.5/8.14.5; Thu, 10 Sep 2015 10:17:26 -0700
>>> EHLO sender.example.com
250-mta.emerson.baker.org Hello sender.example.emerson.baker.org [192.0.2.19], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP
>>> STARTTLS
220 2.0.0 Ready to start TLS
>>> EHLO sender.example.com
250-mta.emerson.baker.org Hello sender.example.emerson.baker.org [192.0.2.19], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-DELIVERBY
250 HELP
>>> MAIL From: SIZE=845
250 2.1.0 ... Sender ok
>>> RCPT To:
>>> DATA
250 2.1.5 ... Recipient ok
354 Enter mail, end with "." on a line by itself
>>> .
250 2.0.0 t8AHHQ0v004865 Message accepted for delivery
... Sent (t8AHHQ0v004865 Message accepted for delivery)
Closing connection to smart.mail.example.emerson.baker.org.
>>> QUIT
221 2.0.0 mta.emerson.baker.org closing connection

UNSOLVED: sendmail gives “host map: lookup ($domain): deferred”

tl;dr → ensure the AAAA, A and MX records are visilble and are compatible with host connectivity.

i.e. don’t publish AAAA (only) for an IPv4-connected host.

Diagnostic

$ mailq
/var/spool/mqueue (1 request)
-----Q-ID----- --Size-- -----Q-Time----- ------------Sender/Recipient-----------
t22GuSUb006467 72 Mon Mar 2 08:56
(host map: lookup (SOMEHOST.emerson.baker.org): deferred)

Total requests: 1
$ host -t aaaa SOMEHOST.emerson.baker.org
SOMEHOST.emerson.baker.org has IPv6 address 2001:db8::99:1
SOMEHOST.emerson.baker.org has IPv6 address 2001:db8::88:1

Debug

sendmail -v -d8.32 -qImessageID

Background

<quote>Starting with Sendmail 8.12, Sendmail queries the following 3 DNS resource records in order:

  • AAAA
  • A
  • MX

Failures earlier in the series are treated as more serious than those later, as documented. In particular, it is unreasonable to have a host with only AAAA records published, but which is only connected via IPv4.

References

Via: backfill.