Handle RFC6652

Closes: https://framagit.org/happyDomain/happydeliver/-/issues/1
2025-11-07 14:09:05 +07:00 · 2025-11-07 14:09:05 +07:00 · deb9fd4f51
commit deb9fd4f51
parent c52a3aa8a7
2 changed files with 31 additions and 2 deletions
--- a/pkg/analyzer/dns_spf.go
+++ b/pkg/analyzer/dns_spf.go
@ -191,8 +191,12 @@ func (d *DNSAnalyzer) isValidSPFMechanism(token string) error {

 	// Check if it's a modifier (contains =)
 	if strings.Contains(mechanism, "=") {
-		// Only allow known modifiers: redirect= and exp=
-		if strings.HasPrefix(mechanism, "redirect=") || strings.HasPrefix(mechanism, "exp=") {
+		// Allow known modifiers: redirect=, exp=, and RFC 6652 modifiers (ra=, rp=, rr=)
+		if strings.HasPrefix(mechanism, "redirect=") ||
+			strings.HasPrefix(mechanism, "exp=") ||
+			strings.HasPrefix(mechanism, "ra=") ||
+			strings.HasPrefix(mechanism, "rp=") ||
+			strings.HasPrefix(mechanism, "rr=") {
 			return nil
 		}

--- a/pkg/analyzer/dns_spf_test.go
+++ b/pkg/analyzer/dns_spf_test.go
@ -122,6 +122,31 @@ func TestValidateSPF(t *testing.T) {
 			expectError: true,
 			errorMsg:    "unknown modifier",
 		},
+		{
+			name:        "Valid SPF with RFC 6652 ra modifier",
+			record:      "v=spf1 mx ra=postmaster -all",
+			expectError: false,
+		},
+		{
+			name:        "Valid SPF with RFC 6652 rp modifier",
+			record:      "v=spf1 mx rp=100 -all",
+			expectError: false,
+		},
+		{
+			name:        "Valid SPF with RFC 6652 rr modifier",
+			record:      "v=spf1 mx rr=all -all",
+			expectError: false,
+		},
+		{
+			name:        "Valid SPF with all RFC 6652 modifiers",
+			record:      "v=spf1 mx ra=postmaster rp=50 rr=fail -all",
+			expectError: false,
+		},
+		{
+			name:        "Valid SPF with RFC 6652 modifiers and redirect",
+			record:      "v=spf1 ip4:192.0.2.0/24 ra=abuse redirect=_spf.example.com",
+			expectError: false,
+		},
 	}

 	analyzer := NewDNSAnalyzer(5 * time.Second)