[Minor] SPF: Make (almost) all unresolveable records PERMFAIL

src/libserver/spf.c

@@ -708,7 +708,11 @@ spf_record_dns_callback (struct rdns_reply *reply, gpointer arg)
 	else if (reply->code == RDNS_RC_NXDOMAIN || reply->code == RDNS_RC_NOREC) {
 		switch (cb->cur_action) {
 			case SPF_RESOLVE_MX:
-				if (rdns_request_has_type (reply->request, RDNS_REQUEST_MX)) {
+				if (!rdns_request_has_type (reply->request, RDNS_REQUEST_MX)
+						&& !rdns_request_has_type (reply->request, RDNS_REQUEST_A)
+						&& !rdns_request_has_type (reply->request, RDNS_REQUEST_AAAA)) {
+					cb->addr->flags &= ~RSPAMD_SPF_FLAG_PARSED;
+					cb->addr->flags |= RSPAMD_SPF_FLAG_PERMFAIL;
 					msg_debug_spf (
 							"<%s>: spf error for domain %s: cannot find MX record for %s",
 							task->message_id,
@@ -716,7 +720,10 @@ spf_record_dns_callback (struct rdns_reply *reply, gpointer arg)
 							cb->resolved->cur_domain);
 					spf_record_addr_set (addr, FALSE);
 				}
-				else {
+				else if (!rdns_request_has_type (reply->request, RDNS_REQUEST_A)
+						&& !rdns_request_has_type (reply->request, RDNS_REQUEST_AAAA)) {
+					cb->addr->flags &= ~RSPAMD_SPF_FLAG_PARSED;
+					cb->addr->flags |= RSPAMD_SPF_FLAG_PERMFAIL;
 					msg_debug_spf (
 							"<%s>: spf error for domain %s: cannot resolve MX record for %s",
 							task->message_id,
@@ -726,25 +733,32 @@ spf_record_dns_callback (struct rdns_reply *reply, gpointer arg)
 				}
 				break;
 			case SPF_RESOLVE_A:
+				cb->addr->flags &= ~RSPAMD_SPF_FLAG_PARSED;
+				cb->addr->flags |= RSPAMD_SPF_FLAG_PERMFAIL;
 				if (rdns_request_has_type (reply->request, RDNS_REQUEST_A)) {
 					spf_record_addr_set (addr, FALSE);
 				}
 				break;
 			case SPF_RESOLVE_AAA:
+				cb->addr->flags &= ~RSPAMD_SPF_FLAG_PARSED;
+				cb->addr->flags |= RSPAMD_SPF_FLAG_PERMFAIL;
 				if (rdns_request_has_type (reply->request, RDNS_REQUEST_AAAA)) {
 					spf_record_addr_set (addr, FALSE);
 				}
 				break;
 			case SPF_RESOLVE_PTR:
+				cb->addr->flags &= ~RSPAMD_SPF_FLAG_PARSED;
+				cb->addr->flags |= RSPAMD_SPF_FLAG_PERMFAIL;
 				spf_record_addr_set (addr, FALSE);
 				break;
 			case SPF_RESOLVE_REDIRECT:
+				cb->addr->flags &= ~RSPAMD_SPF_FLAG_PARSED;
+				cb->addr->flags |= RSPAMD_SPF_FLAG_PERMFAIL;
 				msg_debug_spf (
 						"<%s>: spf error for domain %s: cannot resolve TXT record for %s",
 						task->message_id,
 						cb->rec->sender_domain,
 						cb->resolved->cur_domain);
-				cb->addr->flags |= RSPAMD_SPF_FLAG_PERMFAIL;
 				break;
 			case SPF_RESOLVE_INCLUDE:
 				msg_debug_spf (
@@ -752,8 +766,8 @@ spf_record_dns_callback (struct rdns_reply *reply, gpointer arg)
 						task->message_id,
 						cb->rec->sender_domain,
 						cb->resolved->cur_domain);
+				cb->addr->flags |= RSPAMD_SPF_FLAG_PERMFAIL;
 				cb->addr->flags &= ~RSPAMD_SPF_FLAG_PARSED;
-				cb->addr->flags |= RSPAMD_SPF_FLAG_TEMPFAIL;
 				break;
 			case SPF_RESOLVE_EXP:
 				break;
@@ -762,16 +776,8 @@ spf_record_dns_callback (struct rdns_reply *reply, gpointer arg)
 				break;
 		}
 	}
-	else if ((cb->cur_action == SPF_RESOLVE_INCLUDE ||
-			cb->cur_action == SPF_RESOLVE_REDIRECT) ||
-			reply->code == RDNS_RC_TIMEOUT) {
-		if ((cb->cur_action == SPF_RESOLVE_INCLUDE || cb->cur_action == SPF_RESOLVE_REDIRECT) &&
-				(reply->code == RDNS_RC_NOREC && reply->code == RDNS_RC_NXDOMAIN)) {
-			cb->addr->flags |= RSPAMD_SPF_FLAG_PERMFAIL;
-		}
-		else {
-			cb->addr->flags |= RSPAMD_SPF_FLAG_TEMPFAIL;
-		}
+	else {
+		cb->addr->flags |= RSPAMD_SPF_FLAG_TEMPFAIL;
 		msg_info_spf (
 				"<%s>: spf error for domain %s: cannot resolve %s DNS record for"
 				" %s: %s",

src/plugins/spf.c

@@ -397,7 +397,12 @@ spf_check_element (struct spf_resolved *rec, struct spf_addr *addr,
 			spf_result[0] = '-';
 			spf_message = "(SPF): spf fail";
 			if (addr->flags & RSPAMD_SPF_FLAG_ANY) {
-				if (rec->temp_failed) {
+				if (rec->perm_failed) {
+					msg_info_task ("do not apply SPF failed policy, as we have "
+							"some addresses unresolved");
+					spf_symbol = spf_module_ctx->symbol_permfail;
+				}
+				else if (rec->temp_failed) {
 					msg_info_task ("do not apply SPF failed policy, as we have "
 							"some addresses unresolved");
 					spf_symbol = spf_module_ctx->symbol_dnsfail;
@@ -411,7 +416,12 @@ spf_check_element (struct spf_resolved *rec, struct spf_addr *addr,
 			spf_result[0] = '~';
 
 			if (addr->flags & RSPAMD_SPF_FLAG_ANY) {
-				if (rec->temp_failed) {
+				if (rec->perm_failed) {
+					msg_info_task ("do not apply SPF failed policy, as we have "
+							"some addresses unresolved");
+					spf_symbol = spf_module_ctx->symbol_permfail;
+				}
+				else if (rec->temp_failed) {
 					msg_info_task ("do not apply SPF failed policy, as we have "
 							"some addresses unresolved");
 					spf_symbol = spf_module_ctx->symbol_dnsfail;
@@ -478,7 +488,7 @@ spf_plugin_callback (struct spf_resolved *record, struct rspamd_task *task,
 				1,
 				NULL);
 	}
-	else if (record && record->perm_failed) {
+	else if (record && record->elts->len == 0 && record->perm_failed) {
 		rspamd_task_insert_result (task,
 				spf_module_ctx->symbol_permfail,
 				1,

test/functional/cases/115_dmarc.robot

@@ -77,10 +77,10 @@ DKIM PERMFAIL BAD RECORD
   ...  -i  37.48.67.26
   Check Rspamc  ${result}  R_DKIM_PERMFAIL
 
-SPF DNSFAIL UNRESOLVEABLE INCLUDE
+SPF PERMFAIL UNRESOLVEABLE INCLUDE
   ${result} =  Scan Message With Rspamc  ${TESTDIR}/messages/dmarc/bad_dkim1.eml
-  ...  -i  37.48.67.26  -F  x@openarena.za.net
-  Check Rspamc  ${result}  R_SPF_DNSFAIL
+  ...  -i  37.48.67.26  -F  x@fail3.org.org.za
+  Check Rspamc  ${result}  R_SPF_PERMFAIL
 
 SPF DNSFAIL FAILED INCLUDE
   ${result} =  Scan Message With Rspamc  ${TESTDIR}/messages/dmarc/bad_dkim1.eml
@@ -89,7 +89,7 @@ SPF DNSFAIL FAILED INCLUDE
 
 SPF ALLOW UNRESOLVEABLE INCLUDE
   ${result} =  Scan Message With Rspamc  ${TESTDIR}/messages/dmarc/bad_dkim1.eml
-  ...  -i  8.8.8.8  -F  x@openarena.za.net
+  ...  -i  8.8.8.8  -F  x@fail3.org.org.za
   Check Rspamc  ${result}  R_SPF_ALLOW
 
 SPF ALLOW FAILED INCLUDE
@@ -114,7 +114,7 @@ SPF NA NXDOMAIN
 
 SPF PERMFAIL UNRESOLVEABLE REDIRECT
   ${result} =  Scan Message With Rspamc  ${TESTDIR}/messages/dmarc/bad_dkim1.eml
-  ...  -i  8.8.8.8  -F  x@cacophony.za.org
+  ...  -i  8.8.8.8  -F  x@fail4.org.org.za
   Check Rspamc  ${result}  R_SPF_PERMFAIL
 
 SPF DNSFAIL FAILED REDIRECT
@@ -122,9 +122,9 @@ SPF DNSFAIL FAILED REDIRECT
   ...  -i  8.8.8.8  -F  x@fail1.org.org.za
   Check Rspamc  ${result}  R_SPF_DNSFAIL
 
-SPF PERMFAIL
+SPF PERMFAIL NO USEABLE ELEMENTS
   ${result} =  Scan Message With Rspamc  ${TESTDIR}/messages/dmarc/bad_dkim1.eml
-  ...  -i  8.8.8.8  -F  x@xzghgh.za.org
+  ...  -i  8.8.8.8  -F  x@fail5.org.org.za
   Check Rspamc  ${result}  R_SPF_PERMFAIL
 
 SPF FAIL
@@ -132,6 +132,26 @@ SPF FAIL
   ...  -i  8.8.8.8  -F  x@example.net
   Check Rspamc  ${result}  R_SPF_FAIL
 
+SPF PERMFAIL UNRESOLVEABLE MX
+  ${result} =  Scan Message With Rspamc  ${TESTDIR}/messages/dmarc/bad_dkim1.eml
+  ...  -i  1.2.3.4  -F  x@fail6.org.org.za
+  Check Rspamc  ${result}  R_SPF_PERMFAIL
+
+SPF PERMFAIL UNRESOLVEABLE A
+  ${result} =  Scan Message With Rspamc  ${TESTDIR}/messages/dmarc/bad_dkim1.eml
+  ...  -i  1.2.3.4  -F  x@fail7.org.org.za
+  Check Rspamc  ${result}  R_SPF_PERMFAIL
+
+SPF DNSFAIL FAILED A
+  ${result} =  Scan Message With Rspamc  ${TESTDIR}/messages/dmarc/bad_dkim1.eml
+  ...  -i  1.2.3.4  -F  x@fail8.org.org.za
+  Check Rspamc  ${result}  R_SPF_DNSFAIL
+
+SPF DNSFAIL FAILED MX
+  ${result} =  Scan Message With Rspamc  ${TESTDIR}/messages/dmarc/bad_dkim1.eml
+  ...  -i  1.2.3.4  -F  x@fail9.org.org.za
+  Check Rspamc  ${result}  R_SPF_DNSFAIL
+
 *** Keywords ***
 DMARC Setup
   ${PLUGIN_CONFIG} =  Get File  ${TESTDIR}/configs/dmarc.conf