RFC-compliant handling of SPF-records with syntax errors
According to RFC 4408 SPF-record checking for SPF-records that have syntax errors should return "PermError" as opposed to a non-permitted sender, where it should return "Fail". Relevant sections of the RFC: 2.5.7, 4.5, 4.6, 6, 6.1, 8.1, 10.1.
Right now, policyd rejects all messages that result in a PermError. While it is desirable that all mail servers that check for SPF records reject any mail for which SPF-records contain errors — to let administrators know something is wrong with their implementation — this unfortunately leads to a lot of false positives, to a level that's unacceptable in larger environments. Policyd should have an option to define the behaviour for PermError handling, something like:
- add header and pass
- reject and print helpful error message