SPF redirect modifier

hmiller asked:

The SPF record for domain replace the current record. The
macro-expanded domain is also substituted for the current-domain in
those look-ups.

Examples:

In the following example, the client IP is 1.2.3.4 and the
current-domain is example.com.

“v=spf1 redirect=example.com”

If example.com has no SPF record, that is an error; the result is
unknown. Suppose example.com’s SPF record was “v=spf1 a -all”. Look up
the A record for example.com. If it matches 1.2.3.4, return Pass. If
there is no match, the exec fails to match, and the -all value is
used.

The domain and current-domain meaning is not very clear here.

What happens, if example1.com spf was queried,

example1.com IN MX 0 mx.example1.com.    
example1.com IN TXT "v=spf1 redirect=example2.com"
mx.example1.com IN A 1.1.1.1

example2.com IN MX 0 mx.example2.com.
example2.com IN TXT "v=spf1 mx -all"
mx.example2.com IN A 2.2.2.2

Should the spf result be 1.1.1.1 OR 2.2.2.2?

My answer:


When you redirect to a domain, the redirected domain becomes the target for all subsequent DNS lookups, such as those performed by mx.

See RFC 7208 § 6.1:

The <domain-spec> portion of the redirect section is expanded as per the macro rules in Section 7. Then check_host() is evaluated with the resulting string as the <domain>. The <ip> and <sender> arguments remain the same as in the current evaluation of check_host().


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.