coppertone 0.0.1

data/spec/open_spf/MX_mechanism_syntax_spec.rb

@@ -0,0 +1,119 @@
+require 'spec_helper'
+
+describe 'MX mechanism syntax' do
+  let(:zonefile) do
+    { 'mail.example.com' => [{ 'A' => '1.2.3.4' }, { 'MX' => [0, ''] }, { 'TXT' => 'v=spf1 mx' }], 'e1.example.com' => [{ 'TXT' => 'v=spf1 mx/0 -all' }, { 'MX' => [0, 'e1.example.com'] }], 'e2.example.com' => [{ 'A' => '1.1.1.1' }, { 'AAAA' => '1234::2' }, { 'MX' => [0, 'e2.example.com'] }, { 'TXT' => 'v=spf1 mx/0 -all' }], 'e2a.example.com' => [{ 'AAAA' => '1234::1' }, { 'MX' => [0, 'e2a.example.com'] }, { 'TXT' => 'v=spf1 mx//0 -all' }], 'e2b.example.com' => [{ 'A' => '1.1.1.1' }, { 'MX' => [0, 'e2b.example.com'] }, { 'TXT' => 'v=spf1 mx//0 -all' }], 'e3.example.com' => [{ 'TXT' => "v=spf1 mx:foo.example.com\u0000" }], 'e4.example.com' => [{ 'TXT' => 'v=spf1 mx' }, { 'A' => '1.2.3.4' }], 'e5.example.com' => [{ 'TXT' => 'v=spf1 mx:abc.123' }], 'e6.example.com' => [{ 'TXT' => 'v=spf1 mx//33 -all' }], 'e6a.example.com' => [{ 'TXT' => 'v=spf1 mx/33 -all' }], 'e7.example.com' => [{ 'TXT' => 'v=spf1 mx//129 -all' }], 'e9.example.com' => [{ 'TXT' => 'v=spf1 mx:example.com:8080' }], 'e10.example.com' => [{ 'TXT' => 'v=spf1 mx:foo.example.com/24' }], 'foo.example.com' => [{ 'MX' => [0, 'foo1.example.com'] }], 'foo1.example.com' => [{ 'A' => '1.1.1.1' }, { 'A' => '1.2.3.5' }], 'e11.example.com' => [{ 'TXT' => 'v=spf1 mx:foo:bar/baz.example.com' }], 'foo:bar/baz.example.com' => [{ 'MX' => [0, 'foo:bar/baz.example.com'] }, { 'A' => '1.2.3.4' }], 'e12.example.com' => [{ 'TXT' => 'v=spf1 mx:example.-com' }], 'e13.example.com' => [{ 'TXT' => 'v=spf1 mx: -all' }] }
+  end
+
+  let(:dns_client) { Coppertone::DNS::MockClient.new(zonefile) }
+  let(:options) { { dns_client: dns_client } }
+
+  it 'MX                = "mx"      [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] ' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e6.example.com', 'mail.example.com', options)
+    expect(%i(fail)).to include(result.code)
+  end
+
+  it 'MX                = "mx"      [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] ' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e6a.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'MX                = "mx"      [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] ' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e7.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'MX matches any returned IP.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e10.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'MX matches any returned IP.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e10.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'domain-spec must pass basic syntax checks' do
+    # A \':\' may appear in domain-spec, but not in top-label.
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e9.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'If no ips are returned, MX mechanism does not match, even with /0.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e1.example.com', 'mail.example.com', options)
+    expect(%i(fail)).to include(result.code)
+  end
+
+  it 'Matches if any A records for any MX records are present in DNS.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e2.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'cidr4 doesnt apply to IP6 connections.' do
+    # The IP6 CIDR starts with a double slash.
+    result = Coppertone::SpfService.authenticate_email('1234::1', 'foo@e2.example.com', 'mail.example.com', options)
+    expect(%i(fail)).to include(result.code)
+  end
+
+  it 'Would match if any AAAA records for MX records are present in DNS, but not for an IP4 connection.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e2a.example.com', 'mail.example.com', options)
+    expect(%i(fail)).to include(result.code)
+  end
+
+  it 'Would match if any AAAA records for MX records are present in DNS, but not for an IP4 connection.' do
+    result = Coppertone::SpfService.authenticate_email('::FFFF:1.2.3.4', 'foo@e2a.example.com', 'mail.example.com', options)
+    expect(%i(fail)).to include(result.code)
+  end
+
+  it 'Matches if any AAAA records for any MX records are present in DNS.' do
+    result = Coppertone::SpfService.authenticate_email('1234::1', 'foo@e2a.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'No match if no AAAA records for any MX records are present in DNS.' do
+    result = Coppertone::SpfService.authenticate_email('1234::1', 'foo@e2b.example.com', 'mail.example.com', options)
+    expect(%i(fail)).to include(result.code)
+  end
+
+  it 'Null not allowed in top-label.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.5', 'foo@e3.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'Top-label may not be all numeric' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e5.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'Domain-spec may contain any visible char except %' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e11.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'Domain-spec may contain any visible char except %' do
+    result = Coppertone::SpfService.authenticate_email('::FFFF:1.2.3.4', 'foo@e11.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'Toplabel may not begin with -' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e12.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'test null MX' do
+    # Some implementations have had trouble with null MX
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', '', 'mail.example.com', options)
+    expect(%i(neutral)).to include(result.code)
+  end
+
+  it 'If the target name has no MX records, check_host() MUST NOT pretend the target is its single MX, and MUST NOT default to an A lookup on the target-name directly.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e4.example.com', 'mail.example.com', options)
+    expect(%i(neutral)).to include(result.code)
+  end
+
+  it 'domain-spec cannot be empty.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e13.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+end

data/spec/open_spf/Macro_expansion_rules_spec.rb

@@ -0,0 +1,154 @@
+require 'spec_helper'
+
+describe 'Macro expansion rules' do
+  let(:zonefile) do
+    { 'example.com.d.spf.example.com' => [{ 'TXT' => 'v=spf1 redirect=a.spf.example.com' }], 'a.spf.example.com' => [{ 'TXT' => 'v=spf1 include:o.spf.example.com. ~all' }], 'o.spf.example.com' => [{ 'TXT' => 'v=spf1 ip4:192.168.218.40' }], 'msgbas2x.cos.example.com' => [{ 'A' => '192.168.218.40' }], 'example.com' => [{ 'A' => '192.168.90.76' }, { 'TXT' => 'v=spf1 redirect=%{d}.d.spf.example.com.' }], 'exp.example.com' => [{ 'TXT' => 'v=spf1 exp=msg.example.com. -all' }], 'msg.example.com' => [{ 'TXT' => 'This is a test.' }], 'e1.example.com' => [{ 'TXT' => 'v=spf1 -exists:%(ir).sbl.example.com ?all' }], 'e1e.example.com' => [{ 'TXT' => 'v=spf1 exists:foo%(ir).sbl.example.com ?all' }], 'e1t.example.com' => [{ 'TXT' => 'v=spf1 exists:foo%.sbl.example.com ?all' }], 'e1a.example.com' => [{ 'TXT' => 'v=spf1 a:macro%%percent%_%_space%-url-space.example.com -all' }], 'macro%percent  space%20url-space.example.com' => [{ 'A' => '1.2.3.4' }], 'e2.example.com' => [{ 'TXT' => 'v=spf1 -all exp=%{r}.example.com' }], 'e3.example.com' => [{ 'TXT' => 'v=spf1 -all exp=%{ir}.example.com' }], '40.218.168.192.example.com' => [{ 'TXT' => 'Connections from %{c} not authorized.' }], 'somewhat.long.exp.example.com' => [{ 'TXT' => 'v=spf1 -all exp=foobar.%{o}.%{o}.%{o}.%{o}.%{o}.%{o}.%{o}.%{o}.example.com' }], 'somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.example.com' => [{ 'TXT' => 'Congratulations!  That was tricky.' }], 'e4.example.com' => [{ 'TXT' => 'v=spf1 -all exp=e4msg.example.com' }], 'e4msg.example.com' => [{ 'TXT' => '%{c} is queried as %{ir}.%{v}.arpa' }], 'e5.example.com' => [{ 'TXT' => 'v=spf1 a:%{a}.example.com -all' }], 'e6.example.com' => [{ 'TXT' => 'v=spf1 -all exp=e6msg.example.com' }], 'e6msg.example.com' => [{ 'TXT' => 'connect from %{p}' }], 'mx.example.com' => [{ 'A' => '192.168.218.41' }, { 'A' => '192.168.218.42' }, { 'AAAA' => 'CAFE:BABE::2' }, { 'AAAA' => 'CAFE:BABE::3' }], '40.218.168.192.in-addr.arpa' => [{ 'PTR' => 'mx.example.com' }], '41.218.168.192.in-addr.arpa' => [{ 'PTR' => 'mx.example.com' }], '42.218.168.192.in-addr.arpa' => [{ 'PTR' => 'mx.example.com' }, { 'PTR' => 'mx.e7.example.com' }], '1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.E.B.A.B.E.F.A.C.ip6.arpa' => [{ 'PTR' => 'mx.example.com' }], '3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.E.B.A.B.E.F.A.C.ip6.arpa' => [{ 'PTR' => 'mx.example.com' }], 'mx.e7.example.com' => [{ 'A' => '192.168.218.42' }], 'mx.e7.example.com.should.example.com' => [{ 'A' => '127.0.0.2' }], 'mx.example.com.ok.example.com' => [{ 'A' => '127.0.0.2' }], 'e7.example.com' => [{ 'TXT' => 'v=spf1 exists:%{p}.should.example.com ~exists:%{p}.ok.example.com' }], 'e8.example.com' => [{ 'TXT' => 'v=spf1 -all exp=msg8.%{D2}' }], 'msg8.example.com' => [{ 'TXT' => 'http://example.com/why.html?l=%{L}' }], 'e9.example.com' => [{ 'TXT' => 'v=spf1 a:%{H} -all' }], 'e10.example.com' => [{ 'TXT' => 'v=spf1 -include:_spfh.%{d2} ip4:1.2.3.0/24 -all' }], '_spfh.example.com' => [{ 'TXT' => 'v=spf1 -a:%{h} +all' }], 'e11.example.com' => [{ 'TXT' => 'v=spf1 exists:%{i}.%{l2r-}.user.%{d2}' }], '1.2.3.4.gladstone.philip.user.example.com' => [{ 'A' => '127.0.0.2' }], 'e12.example.com' => [{ 'TXT' => 'v=spf1 exists:%{l2r+-}.user.%{d2}' }], 'bar.foo.user.example.com' => [{ 'A' => '127.0.0.2' }] }
+  end
+
+  let(:dns_client) { Coppertone::DNS::MockClient.new(zonefile) }
+  let(:options) { { dns_client: dns_client } }
+
+  it 'trailing dot is ignored for domains' do
+    result = Coppertone::SpfService.authenticate_email('192.168.218.40', 'test@example.com', 'msgbas2x.cos.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'trailing dot is not removed from explanation' do
+    # A simple way for an implementation to ignore trailing dots on domains is to remove it when present.  But be careful not to remove it for explanation text.
+    result = Coppertone::SpfService.authenticate_email('192.168.218.40', 'test@exp.example.com', 'msgbas2x.cos.example.com', options)
+    expect(%i(fail)).to include(result.code)
+    expect(result.explanation).to eq('This is a test.')
+  end
+
+  it 'The following macro letters are allowed only in "exp" text: c, r, t' do
+    result = Coppertone::SpfService.authenticate_email('192.168.218.40', 'test@e2.example.com', 'msgbas2x.cos.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'A % character not followed by a {, %, -, or _ character is a syntax error.' do
+    result = Coppertone::SpfService.authenticate_email('192.168.218.40', 'test@e1.example.com', 'msgbas2x.cos.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'A % character not followed by a {, %, -, or _ character is a syntax error.' do
+    result = Coppertone::SpfService.authenticate_email('192.168.218.40', 'test@e1e.example.com', 'msgbas2x.cos.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'A % character not followed by a {, %, -, or _ character is a syntax error.' do
+    result = Coppertone::SpfService.authenticate_email('192.168.218.40', 'test@e1t.example.com', 'msgbas2x.cos.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'macro-encoded percents (%%), spaces (%_), and URL-percent-encoded spaces (%-)' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'test@e1a.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'For IPv4 addresses, both the "i" and "c" macros expand to the standard dotted-quad format.' do
+    result = Coppertone::SpfService.authenticate_email('192.168.218.40', 'test@e3.example.com', 'msgbas2x.cos.example.com', options)
+    expect(%i(fail)).to include(result.code)
+    expect(result.explanation).to eq('Connections from 192.168.218.40 not authorized.')
+  end
+
+  it 'When the result of macro expansion is used in a domain name query, if the expanded domain name exceeds 253 characters, the left side is truncated to fit, by removing successive domain labels until the total length does not exceed 253 characters.' do
+    result = Coppertone::SpfService.authenticate_email('192.168.218.40', 'test@somewhat.long.exp.example.com', 'msgbas2x.cos.example.com', options)
+    expect(%i(fail)).to include(result.code)
+    expect(result.explanation).to eq('Congratulations!  That was tricky.')
+  end
+
+  it 'v = the string "in-addr" if <ip> is ipv4, or "ip6" if <ip> is ipv6' do
+    result = Coppertone::SpfService.authenticate_email('192.168.218.40', 'test@e4.example.com', 'msgbas2x.cos.example.com', options)
+    expect(%i(fail)).to include(result.code)
+    expect(result.explanation).to eq('192.168.218.40 is queried as 40.218.168.192.in-addr.arpa')
+  end
+
+  it 'v = the string "in-addr" if <ip> is ipv4, or "ip6" if <ip> is ipv6' do
+    result = Coppertone::SpfService.authenticate_email('CAFE:BABE::1', 'test@e4.example.com', 'msgbas2x.cos.example.com', options)
+    expect(%i(fail)).to include(result.code)
+    expect(result.explanation).to eq('cafe:babe::1 is queried as 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.E.B.A.B.E.F.A.C.ip6.arpa')
+  end
+
+  it 'Allowed macros chars are slodipvh plus crt in explanation.' do
+    result = Coppertone::SpfService.authenticate_email('CAFE:BABE::192.168.218.40', 'test@e5.example.com', 'msgbas2x.cos.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'p = the validated domain name of <ip>' do
+    # The PTR in this example does not validate.
+    result = Coppertone::SpfService.authenticate_email('192.168.218.40', 'test@e6.example.com', 'msgbas2x.cos.example.com', options)
+    expect(%i(fail)).to include(result.code)
+    expect(result.explanation).to eq('connect from unknown')
+  end
+
+  it 'p = the validated domain name of <ip>' do
+    pending 'It is currently unclear, based on RFC 7208, why this spec should pass.'
+    # If a subdomain of the <domain> is present, it SHOULD be used.
+    result = Coppertone::SpfService.authenticate_email('192.168.218.41',
+                                                       'test@e6.example.com',
+                                                       'msgbas2x.cos.example.com', options)
+    expect(%i(fail)).to include(result.code)
+    expect(result.explanation).to eq('connect from mx.example.com')
+  end
+
+  it 'p = the validated domain name of <ip>' do
+    # The PTR in this example does not validate.
+    result = Coppertone::SpfService.authenticate_email('CAFE:BABE::1', 'test@e6.example.com', 'msgbas2x.cos.example.com', options)
+    expect(%i(fail)).to include(result.code)
+    expect(result.explanation).to eq('connect from unknown')
+  end
+
+  it 'p = the validated domain name of <ip>' do
+    pending 'It is currently unclear, based on RFC 7208, why this spec should pass.'
+    # If a subdomain of the <domain> is present, it SHOULD be used.
+    result = Coppertone::SpfService.authenticate_email('CAFE:BABE::3', 'test@e6.example.com', 'msgbas2x.cos.example.com', options)
+    expect(%i(fail)).to include(result.code)
+    expect(result.explanation).to eq('connect from mx.example.com')
+  end
+
+  it 'p = the validated domain name of <ip>' do
+    # If a subdomain of the <domain> is present, it SHOULD be used.
+    result = Coppertone::SpfService.authenticate_email('192.168.218.42', 'test@e7.example.com', 'msgbas2x.cos.example.com', options)
+    expect(%i(pass softfail)).to include(result.code)
+  end
+
+  it 'Uppercased macros expand exactly as their lowercased equivalents, and are then URL escaped.  All chars not in the unreserved set MUST be escaped.' do
+    # unreserved  = ALPHA / DIGIT / "-" / "." / "_" / "~"
+    result = Coppertone::SpfService.authenticate_email('192.168.218.42', '~jack&jill=up-a_b3.c@e8.example.com', 'msgbas2x.cos.example.com', options)
+    expect(%i(fail)).to include(result.code)
+    expect(result.explanation).to eq('http://example.com/why.html?l=~jack%26jill%3Dup-a_b3.c')
+  end
+
+  it 'h = HELO/EHLO domain' do
+    result = Coppertone::SpfService.authenticate_email('192.168.218.40', 'test@e9.example.com', 'msgbas2x.cos.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'h = HELO/EHLO domain, but HELO is invalid' do
+    # Domain-spec must end in either a macro, or a valid toplabel. It is not correct to check syntax after macro expansion.
+    result = Coppertone::SpfService.authenticate_email('192.168.218.40', 'test@e9.example.com', 'JUMPIN\' JUPITER', options)
+    expect(%i(fail)).to include(result.code)
+  end
+
+  it 'h = HELO/EHLO domain, but HELO is a domain literal' do
+    # Domain-spec must end in either a macro, or a valid toplabel. It is not correct to check syntax after macro expansion.
+    result = Coppertone::SpfService.authenticate_email('192.168.218.40', 'test@e9.example.com', '[192.168.218.40]', options)
+    expect(%i(fail)).to include(result.code)
+  end
+
+  it 'Example of requiring valid helo in sender policy.  This is a complex policy testing several points at once.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'test@e10.example.com', 'OEMCOMPUTER', options)
+    expect(%i(fail)).to include(result.code)
+  end
+
+  it 'Macro value transformation (splitting on arbitrary characters, reversal, number of right-hand parts to use)' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'philip-gladstone-test@e11.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'Multiple delimiters may be specified in a macro expression.   macro-expand = ( "%{" macro-letter transformers *delimiter "}" )                  / "%%" / "%_" / "%-"' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo-bar+zip+quux@e12.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+end

data/spec/open_spf/PTR_mechanism_syntax_spec.rb

@@ -0,0 +1,42 @@
+require 'spec_helper'
+
+describe 'PTR mechanism syntax' do
+  let(:zonefile) do
+    { 'mail.example.com' => [{ 'A' => '1.2.3.4' }], 'e1.example.com' => [{ 'TXT' => 'v=spf1 ptr/0 -all' }], 'e2.example.com' => [{ 'TXT' => 'v=spf1 ptr:example.com -all' }], '4.3.2.1.in-addr.arpa' => [{ 'PTR' => 'e3.example.com' }, { 'PTR' => 'e4.example.com' }, { 'PTR' => 'mail.example.com' }], '1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.E.B.A.B.E.F.A.C.ip6.arpa' => [{ 'PTR' => 'e3.example.com' }], 'e3.example.com' => [{ 'TXT' => 'v=spf1 ptr -all' }, { 'A' => '1.2.3.4' }, { 'AAAA' => 'CAFE:BABE::1' }], 'e4.example.com' => [{ 'TXT' => 'v=spf1 ptr -all' }], 'e5.example.com' => [{ 'TXT' => 'v=spf1 ptr:' }] }
+  end
+
+  let(:dns_client) { Coppertone::DNS::MockClient.new(zonefile) }
+  let(:options) { { dns_client: dns_client } }
+
+  it 'PTR              = "ptr"    [ ":" domain-spec ]' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e1.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'Check all validated domain names to see if they end in the <target-name> domain.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e2.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'Check all validated domain names to see if they end in the <target-name> domain.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e3.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'Check all validated domain names to see if they end in the <target-name> domain.' do
+    # This PTR record does not validate
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e4.example.com', 'mail.example.com', options)
+    expect(%i(fail)).to include(result.code)
+  end
+
+  it 'Check all validated domain names to see if they end in the <target-name> domain.' do
+    result = Coppertone::SpfService.authenticate_email('CAFE:BABE::1', 'foo@e3.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'domain-spec cannot be empty.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e5.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+end

data/spec/open_spf/Processing_limits_spec.rb

@@ -0,0 +1,72 @@
+require 'spec_helper'
+
+describe 'Processing limits' do
+  let(:zonefile) do
+    { 'mail.example.com' => [{ 'A' => '1.2.3.4' }], 'e1.example.com' => [{ 'TXT' => 'v=spf1 ip4:1.1.1.1 redirect=e1.example.com' }, { 'A' => '1.2.3.6' }], 'e2.example.com' => [{ 'TXT' => 'v=spf1 include:e3.example.com' }, { 'A' => '1.2.3.7' }], 'e3.example.com' => [{ 'TXT' => 'v=spf1 include:e2.example.com' }, { 'A' => '1.2.3.8' }], 'e4.example.com' => [{ 'TXT' => 'v=spf1 mx' }, { 'MX' => [0, 'mail.example.com'] }, { 'MX' => [1, 'mail.example.com'] }, { 'MX' => [2, 'mail.example.com'] }, { 'MX' => [3, 'mail.example.com'] }, { 'MX' => [4, 'mail.example.com'] }, { 'MX' => [5, 'mail.example.com'] }, { 'MX' => [6, 'mail.example.com'] }, { 'MX' => [7, 'mail.example.com'] }, { 'MX' => [8, 'mail.example.com'] }, { 'MX' => [9, 'mail.example.com'] }, { 'MX' => [10, 'e4.example.com'] }, { 'A' => '1.2.3.5' }], 'e5.example.com' => [{ 'TXT' => 'v=spf1 ptr' }, { 'A' => '1.2.3.5' }], '5.3.2.1.in-addr.arpa' => [{ 'PTR' => 'e1.example.com.' }, { 'PTR' => 'e2.example.com.' }, { 'PTR' => 'e3.example.com.' }, { 'PTR' => 'e4.example.com.' }, { 'PTR' => 'example.com.' }, { 'PTR' => 'e6.example.com.' }, { 'PTR' => 'e7.example.com.' }, { 'PTR' => 'e8.example.com.' }, { 'PTR' => 'e9.example.com.' }, { 'PTR' => 'e10.example.com.' }, { 'PTR' => 'e5.example.com.' }], 'e6.example.com' => [{ 'TXT' => 'v=spf1 a mx a mx a mx a mx a ptr ip4:1.2.3.4 -all' }, { 'A' => '1.2.3.8' }, { 'MX' => [10, 'e6.example.com'] }], 'e7.example.com' => [{ 'TXT' => 'v=spf1 a mx a mx a mx a mx a ptr a ip4:1.2.3.4 -all' }, { 'A' => '1.2.3.20' }], 'e8.example.com' => [{ 'TXT' => 'v=spf1 a include:inc.example.com ip4:1.2.3.4 mx -all' }, { 'A' => '1.2.3.4' }], 'inc.example.com' => [{ 'TXT' => 'v=spf1 a a a a a a a a' }, { 'A' => '1.2.3.10' }], 'e9.example.com' => [{ 'TXT' => 'v=spf1 a include:inc.example.com a ip4:1.2.3.4 -all' }, { 'A' => '1.2.3.21' }], 'e10.example.com' => [{ 'TXT' => 'v=spf1 a -all' }, { 'A' => '1.2.3.1' }, { 'A' => '1.2.3.2' }, { 'A' => '1.2.3.3' }, { 'A' => '1.2.3.4' }, { 'A' => '1.2.3.5' }, { 'A' => '1.2.3.6' }, { 'A' => '1.2.3.7' }, { 'A' => '1.2.3.8' }, { 'A' => '1.2.3.9' }, { 'A' => '1.2.3.10' }, { 'A' => '1.2.3.11' }, { 'A' => '1.2.3.12' }], 'e11.example.com' => [{ 'TXT' => 'v=spf1 a:err.example.com a:err1.example.com a:err2.example.com ?all' }], 'e12.example.com' => [{ 'TXT' => 'v=spf1 a:err.example.com a:err1.example.com ?all' }] }
+  end
+
+  let(:dns_client) { Coppertone::DNS::MockClient.new(zonefile) }
+  let(:options) { { dns_client: dns_client } }
+
+  it 'SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e1.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e2.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'there MUST be a limit of no more than 10 MX looked up and checked.' do
+    # The required result for this test was the subject of much controversy with RFC4408.  For RFC7208 the ambiguity was resolved in favor of producing a permerror result.
+    result = Coppertone::SpfService.authenticate_email('1.2.3.5', 'foo@e4.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'there MUST be a limit of no more than 10 PTR looked up and checked.' do
+    # The result of this test cannot be permerror not only because the RFC does not specify it, but because the sender has no control over the PTR records of spammers. The preferred result reflects evaluating the 10 allowed PTR records in the order returned by the test data. If testing with live DNS, the PTR order may be random, and a pass result would still be compliant.  The SPF result is effectively randomized.
+    result = Coppertone::SpfService.authenticate_email('1.2.3.5', 'foo@e5.example.com', 'mail.example.com', options)
+    expect(%i(neutral pass)).to include(result.code)
+  end
+
+  it 'unlike MX, PTR, there is no RR limit for A' do
+    # There seems to be a tendency for developers to want to limit A RRs in addition to MX and PTR.  These are IPs, not usable for 3rd party DoS attacks, and hence need no low limit.
+    result = Coppertone::SpfService.authenticate_email('1.2.3.12', 'foo@e10.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e6.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check.' do
+    # We do not check whether an implementation counts mechanisms before or after evaluation.  The RFC is not clear on this.
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e7.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check.' do
+    # The part of the RFC that talks about MAY parse the entire record first (4.6) is specific to syntax errors.  In RFC7208, processing limits are part of syntax checking (4.6).
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e8.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e9.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'SPF implementations SHOULD limit "void lookups" to two.  An  implementation MAY choose to make such a limit configurable. In this case, a default of two is RECOMMENDED.' do
+    # This is a new check in RFC7208, but it\'s been implemented in Mail::SPF for years with no issues.
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e12.example.com', 'mail.example.com', options)
+    expect(%i(neutral)).to include(result.code)
+  end
+
+  it 'SPF implementations SHOULD limit "void lookups" to two.  An implementation MAY choose to make such a limit configurable. In this case, a default of two is RECOMMENDED.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e11.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+end

data/spec/open_spf/Record_evaluation_spec.rb

@@ -0,0 +1,75 @@
+require 'spec_helper'
+
+describe 'Record evaluation' do
+  let(:zonefile) do
+    { 'mail.example.com' => [{ 'A' => '1.2.3.4' }], 't1.example.com' => [{ 'TXT' => 'v=spf1 ip4:1.2.3.4 -all moo' }], 't2.example.com' => [{ 'TXT' => 'v=spf1 moo.cow-far_out=man:dog/cat ip4:1.2.3.4 -all' }], 't3.example.com' => [{ 'TXT' => 'v=spf1 moo.cow/far_out=man:dog/cat ip4:1.2.3.4 -all' }], 't4.example.com' => [{ 'TXT' => 'v=spf1 moo.cow:far_out=man:dog/cat ip4:1.2.3.4 -all' }], 't5.example.com' => [{ 'TXT' => 'v=spf1 redirect=t5.example.com ~all' }], 't6.example.com' => [{ 'TXT' => 'v=spf1 ip4:1.2.3.4 redirect=t2.example.com' }], 't7.example.com' => [{ 'TXT' => 'v=spf1 ip4:1.2.3.4' }], 't8.example.com' => [{ 'TXT' => 'v=spf1 ip4:1.2.3.4 redirect:t2.example.com' }], 't9.example.com' => [{ 'TXT' => 'v=spf1 a:foo-bar -all' }], 't10.example.com' => [{ 'TXT' => 'v=spf1 a:mail.example...com -all' }], 't11.example.com' => [{ 'TXT' => 'v=spf1 a:a123456789012345678901234567890123456789012345678901234567890123.example.com -all' }], 't12.example.com' => [{ 'TXT' => 'v=spf1 a:%{H}.bar -all' }] }
+  end
+
+  let(:dns_client) { Coppertone::DNS::MockClient.new(zonefile) }
+  let(:options) { { dns_client: dns_client } }
+
+  it 'Any syntax errors anywhere in the record MUST be detected.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@t1.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." )' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@t2.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it '= character immediately after the name and before any ":" or "/"' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@t3.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it '= character immediately after the name and before any ":" or "/"' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@t4.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'The "redirect" modifier has an effect after all the mechanisms.' do
+    # The redirect in this example would violate processing limits, except that it is never used because of the all mechanism.
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@t5.example.com', 'mail.example.com', options)
+    expect(%i(softfail)).to include(result.code)
+  end
+
+  it 'The "redirect" modifier has an effect after all the mechanisms.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.5', 'foo@t6.example.com', 'mail.example.com', options)
+    expect(%i(fail)).to include(result.code)
+  end
+
+  it 'Default result is neutral.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.5', 'foo@t7.example.com', 'mail.example.com', options)
+    expect(%i(neutral)).to include(result.code)
+  end
+
+  it 'Invalid mechanism.  Redirect is a modifier.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@t8.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'Domain-spec must end in macro-expand or valid toplabel.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@t9.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'target-name that is a valid domain-spec per RFC 4408 and RFC 7208 but an invalid domain name per RFC 1035 (empty label) should be treated as non-existent.' do
+    # An empty domain label, i.e. two successive dots, in a mechanism target-name is valid domain-spec syntax (perhaps formed from a macro expansion), even though a DNS query cannot be composed from it.  The spec being unclear about it, this could either be considered a syntax error, or, by analogy to 4.3/1 and 5/10/3, the mechanism could be treated as a no-match.  RFC 7208 failed to agree on which result to use, and declares the situation undefined.  The preferred test result is therefore a matter of opinion.
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@t10.example.com', 'mail.example.com', options)
+    expect(%i(fail permerror)).to include(result.code)
+  end
+
+  it 'target-name that is a valid domain-spec per RFC 4408 and RFC 7208 but an invalid domain name per RFC 1035 (long label) must be treated as non-existent.' do
+    # A domain label longer than 63 characters in a mechanism target-name is valid domain-spec syntax (perhaps formed from a macro expansion), even though a DNS query cannot be composed from it.  The spec being unclear about it, this could either be considered a syntax error, or, by analogy to 4.3/1 and 5/10/3, the mechanism could be treated as a no-match.  RFC 7208 failed to agree on which result to use, and declares the situation undefined.  The preferred test result is therefore a matter of opinion.
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@t11.example.com', 'mail.example.com', options)
+    expect(%i(fail permerror)).to include(result.code)
+  end
+
+  it 'target-name that is a valid domain-spec per RFC 4408 and RFC 7208 but an invalid domain name per RFC 1035 (long label) must be treated as non-existent.' do
+    # A domain label longer than 63 characters that results from macro expansion in a mechanism target-name is valid domain-spec syntax (and is not even subject to syntax checking after macro expansion), even though a DNS query cannot be composed from it.  The spec being unclear about it, this could either be considered a syntax error, or, by analogy to 4.3/1 and 5/10/3, the mechanism could be treated as a no-match.  RFC 7208 failed to agree on which result to use, and declares the situation undefined.  The preferred test result is therefore a matter of opinion.
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@t12.example.com', '%%%%%%%%%%%%%%%%%%%%%%', options)
+    expect(%i(fail permerror)).to include(result.code)
+  end
+
+end

data/spec/open_spf/Record_lookup_spec.rb

@@ -0,0 +1,48 @@
+require 'spec_helper'
+
+describe 'Record lookup' do
+  let(:zonefile) do
+    { 'both.example.net' => [{ 'TXT' => 'v=spf1 -all' }, { 'SPF' => 'v=spf1 -all' }], 'txtonly.example.net' => [{ 'TXT' => 'v=spf1 -all' }], 'spfonly.example.net' => [{ 'SPF' => 'v=spf1 -all' }, { 'TXT' => 'NONE' }], 'spftimeout.example.net' => [{ 'TXT' => 'v=spf1 -all' }, 'TIMEOUT'], 'txttimeout.example.net' => [{ 'SPF' => 'v=spf1 -all' }, { 'TXT' => 'NONE' }, 'TIMEOUT'], 'nospftxttimeout.example.net' => [{ 'SPF' => 'v=spf3 !a:yahoo.com -all' }, { 'TXT' => 'NONE' }, 'TIMEOUT'], 'alltimeout.example.net' => ['TIMEOUT'] }
+  end
+
+  let(:dns_client) { Coppertone::DNS::MockClient.new(zonefile) }
+  let(:options) { { dns_client: dns_client } }
+
+  it 'both' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@both.example.net', 'mail.example.net', options)
+    expect(%i(fail)).to include(result.code)
+  end
+
+  it 'Result is none if checking SPF records only (which you should not be doing).' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@txtonly.example.net', 'mail.example.net', options)
+    expect(%i(fail)).to include(result.code)
+  end
+
+  it 'Result is none if checking TXT records only.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@spfonly.example.net', 'mail.example.net', options)
+    expect(%i(none)).to include(result.code)
+  end
+
+  it 'TXT record present, but SPF lookup times out. Result is temperror if checking SPF records only.  Fortunately, we dont do type SPF anymore.' do
+    # This actually happens for a popular braindead DNS server.
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@spftimeout.example.net', 'mail.example.net', options)
+    expect(%i(fail)).to include(result.code)
+  end
+
+  it 'SPF record present, but TXT lookup times out. If only TXT records are checked, result is temperror.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@txttimeout.example.net', 'mail.example.net', options)
+    expect(%i(temperror)).to include(result.code)
+  end
+
+  it 'No SPF record present, and TXT lookup times out. If only TXT records are checked, result is temperror.' do
+    # Because TXT records is where v=spf1 records will likely be, returning temperror will try again later.  A timeout due to a braindead server is unlikely in the case of TXT, as opposed to the newer SPF RR.
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@nospftxttimeout.example.net', 'mail.example.net', options)
+    expect(%i(temperror)).to include(result.code)
+  end
+
+  it 'Both TXT and SPF queries time out' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@alltimeout.example.net', 'mail.example.net', options)
+    expect(%i(temperror)).to include(result.code)
+  end
+
+end

data/spec/open_spf/Selecting_records_spec.rb

@@ -0,0 +1,61 @@
+require 'spec_helper'
+
+describe 'Selecting records' do
+  let(:zonefile) do
+    { 'example3.com' => [{ 'TXT' => 'v=spf10' }, { 'TXT' => 'v=spf1 mx' }, { 'MX' => [0, 'mail.example1.com'] }], 'example1.com' => [{ 'TXT' => 'v=spf1' }], 'example2.com' => [{ 'TXT' => ['v=spf1', 'mx'] }], 'mail.example1.com' => [{ 'A' => '1.2.3.4' }], 'example4.com' => [{ 'SPF' => 'v=spf1 +all' }, { 'TXT' => 'v=spf1 -all' }], 'example5.com' => [{ 'SPF' => 'v=spf1 +all' }, { 'TXT' => 'v=spf1 -all' }, { 'TXT' => 'v=spf1 +all' }], 'example6.com' => [{ 'TXT' => 'v=spf1 -all' }, { 'TXT' => 'V=sPf1 +all' }], 'example7.com' => [{ 'TXT' => 'v=spf1 -all' }, { 'TXT' => 'v=spf1 -all' }], 'example8.com' => [{ 'SPF' => 'V=spf1 -all' }, { 'SPF' => 'v=spf1 -all' }, { 'TXT' => 'v=spf1 +all' }], 'example9.com' => [{ 'TXT' => 'v=SpF1 ~all' }] }
+  end
+
+  let(:dns_client) { Coppertone::DNS::MockClient.new(zonefile) }
+  let(:options) { { dns_client: dns_client } }
+
+  it 'Version must be terminated by space or end of record.  TXT pieces are joined without intervening spaces.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@example2.com', 'mail.example1.com', options)
+    expect(%i(none)).to include(result.code)
+  end
+
+  it 'Empty SPF record.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@example1.com', 'mail1.example1.com', options)
+    expect(%i(neutral)).to include(result.code)
+  end
+
+  it 'nospace2' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@example3.com', 'mail.example1.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'SPF records no longer used.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@example4.com', 'mail.example1.com', options)
+    expect(%i(fail)).to include(result.code)
+  end
+
+  it 'Implementations should give permerror/unknown because of the conflicting TXT records.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@example5.com', 'mail.example1.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'Multiple records is a permerror, v=spf1 is case insensitive' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@example6.com', 'mail.example1.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'Multiple records is a permerror, even when they are identical. However, this situation cannot be reliably reproduced with live DNS since cache and resolvers are allowed to combine identical records.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@example7.com', 'mail.example1.com', options)
+    expect(%i(permerror fail)).to include(result.code)
+  end
+
+  it 'Ignoring SPF-type records will give pass because there is a (single) TXT record.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@example8.com', 'mail.example1.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'nospf' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@mail.example1.com', 'mail.example1.com', options)
+    expect(%i(none)).to include(result.code)
+  end
+
+  it 'v=spf1 is case insensitive' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@example9.com', 'mail.example1.com', options)
+    expect(%i(softfail)).to include(result.code)
+  end
+
+end