Article ID: 11152, created on Jul 13, 2015, last review on Jul 13, 2015

  • Applies to:
  • Plesk for Linux/Unix

问题

如何检查一个域名是否有正确设置的 SPF 记录?

原因

解决方案

最简单的方案就是使用如下的在线工具:

http://mxtoolbox.com/spf.aspx

http://www.kitterman.com/spf/validate.html

http://www.openspf.org/Tools

按下面的步骤使用命令行手动测试:

首先尝试使用 libspf2 提供的命令行查询:

/usr/bin/spfquery_static -ip 12.345.67.89 -sender from@mydomain.com -rcpt-to to@mydomain.com

一个正确设置的域名将会如下(使用 Google 做示范):

    $ /usr/bin/spfquery_static -ip 66.102.13.18 -sender from@gmail.com -rcpt-to to@gmail.com
    pass

    spfquery: domain of gmail.com designates 66.102.13.18 as permitted sender
    Received-SPF: pass (spfquery: domain of gmail.com designates 66.102.13.18 as permitted sender) client-ip=66.102.13.18; envelope-from=from@gmail.com;

有问题的域名会如下:

$ /usr/bin/spfquery_static -ip 12.345.67.89 -sender from@mydomain.com -rcpt-to to@gmail.com
StartError
Context: Failed to query MAIL-FROM
ErrorCode: (26) DNS lookup failure
Error: Temporary DNS failure for 'mydomain.com'.
EndError
(invalid)neutral
Please see http://www.openspf.org/Why?id=from%40mydomain.com&ip=12.345.67.89&receiver=spfquery : Reason: default
spfquery: 12.345.67.89 is neither permitted nor denied by domain of mydomain.com
Received-SPF: neutral (spfquery: 12.345.67.89 is neither permitted nor denied by domain of domain.com) client-ip=12.345.67.89; envelope-from=from@mydomain.com;

若要继续调查,您需要知道 SPF 信息是否能够以 TXT 格式或专用的 SPF 记录格式写入。后者有时还会被称为 "type99" 记录。SPF 信息必须至少以其中一种格式写入。如果使用了两者,这些记录必须是彼此的复制副本。这些记录由服务您的域名的同一台 DNS 服务器服务。

然后 libspf2 执行 SPF 检查。首先,会查询 DNS 服务器查找 SPF 记录。如果未被定义,会尝试查找 TXT 格式。如果尝试查询两种格式都失败,则表示该信息没有 SPF。

若要检查记录,请使用工具:

$ dig -t TXT gmail.com

; <<>> DiG 9.6.2-P2-RedHat-9.6.2-4.P2.fc11 <<>> -t TXT gmail.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39868
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;gmail.com.                     IN      TXT

;; ANSWER SECTION:
gmail.com.              300     IN      TXT     "v=spf1 redirect=_spf.google.com"

如您所见,以 v=spf1 开头的则是 SPF 记录。gmail.com 没有 SPF 记录,因此如果您查找,将会看到以下信息:

    $ dig -t SPF gmail.com

    ; <<>> DiG 9.6.2-P2-RedHat-9.6.2-4.P2.fc11 <<>> -t SPF gmail.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10846
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;gmail.com.                     IN      SPF

    ;; AUTHORITY SECTION:
    gmail.com.              1       IN      SOA     ns1.google.com. dns-admin.google.com. 1445323 21600 3600 1209600 300

如您所见,会返回 SOA 记录。现在如果我们检查有问题的域名,会看到以下信息:

$ dig -t TXT mydomain.com
; <<>> DiG 9.6.2-P2-RedHat-9.6.2-4.P2.fc11 <<>> -t TXT mydomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, #14137 Unable to work with java console from SDK
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;mydomain.com.             IN      TXT

;; AUTHORITY SECTION:
mydomain.com.      1       IN      SOA     ns1.mydomain.com. ns2.mydomain.com. 2006070615 10800 3600 604800 180

没有 TXT 记录,但是,一切都正常。让我们查看 SPF:

$ dig -t SPF mydomain.com

; <<>> DiG 9.6.2-P2-RedHat-9.6.2-4.P2.fc11 <<>> -t SPF mydomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 28010
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mydomain.com.             IN      SPF



There is no SPF or SOA. This means that the DNS server is claiming it knows nothing about mydomain.com. Since this is the DNS server that is responsible for the domain name, there is no one else to ask. Therefore, it is considered a DNS query error, and libspf2 handles it as such. 

29d1e90fd304f01e6420fbe60f66f838 a914db3fdc7a53ddcfd1b2db8f5a1b9c 56797cefb1efc9130f7c48a7d1db0f0c

Email subscription for changes to this article