Bug 7911 - SPF plugin does not recognise multiple results in a single Authentication-Results header
Summary: SPF plugin does not recognise multiple results in a single Authentication-Res...
Status: NEW
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Plugins (show other bugs)
Version: 3.4.4
Hardware: PC Linux
: P2 normal
Target Milestone: Undefined
Assignee: SpamAssassin Developer Mailing List
Depends on: 6918
  Show dependency tree
Reported: 2021-05-22 13:08 UTC by dbuergin
Modified: 2021-05-22 13:57 UTC (History)
1 user (show)

Attachment Type Modified Status Actions Submitter/CLA Status

Note You need to log in before you can comment on or make changes to this bug.
Description dbuergin 2021-05-22 13:08:38 UTC
RFC 8601 is the current specification of the Authentication-Results
header. According to section 4 of RFC 8601, multiple results may be
conveyed either in multiple Authentication-Results header fields or in a
single one:

> An MTA compliant with this specification adds this header field
> (after performing one or more message authentication tests) to
> indicate which MTA or ADMD performed the test, which test was
> applied, and what the result was.  If an MTA applies more than one
> such test, it adds this header field either once per test or once
> indicating all of the results.  An MTA MUST NOT add a result to an
> existing header field.

For SPF, I interpret this to mean that the following two forms are


Authentication-Results: mail.example.org; spf=pass smtp.mailfrom=example.com
Authentication-Results: mail.example.org; spf=pass smtp.helo=mail.example.com


Authentication-Results: mail.example.org;
  spf=pass smtp.helo=mail.example.com;
  spf=pass smtp.mailfrom=example.com

The SpamAssassin SPF plugin recognises both HELO and MAIL FROM results
in the first form shown above, but not in the second form. In the second
form it only recognises the last result.

The SPF plugin should treat both forms the same and should be able to
recognise both results in the second form, too.
Comment 1 Henrik Krohns 2021-05-22 13:57:27 UTC
I think AuthRes (Bug 6918) can correctly parse such in Bug 6918, so SPF.pm should just make use if it's results I think.