Correctly handle and validate SPF macros in mechanisms and modifiers

[aharpour]

Description

This PR improves the handling of SPF macros within checkdmarc. Previously, the parser attempted to resolve DNS records for mechanisms containing macros (e.g., a:%{d}), which would fail or produce incorrect results since macros require runtime context (like the sender's IP or domain) to be expanded.

This update ensures that when a macro is detected in a mechanism or modifier, checkdmarc validates the macro's syntax but skips the associated DNS lookup.

Changes

• checkdmarc/spf.py:

  • Added logic to detect macros (presence of %) in a, mx, include, ptr, exists mechanisms and redirect, exp modifiers.
  • Implemented syntax validation for these macros using _validate_spf_macros.
  • Prevented DNS lookups for a, mx, include, redirect, and exp when macros are present, treating them as valid but unresolvable in a static context.
  • Ensured these mechanisms are still included in the parsed output.

• tests.py:

  • Added a comprehensive set of unit tests covering both valid and invalid macro syntax for all supported mechanisms:
    • a: testSPFValidAMechanismMacro, testSPFBrokenAMechanismMacro
    • mx: testSPFValidMXMechanismMacro, testSPFBrokenMXMechanismMacro
    • ptr: testSPFValidPTRMechanismMacro, testSPFBrokenPTRMechanismMacro
    • include: testSPFValidIncludeMechanismMacro, testSPFBrokenIncludeMechanismMacro
    • exists: testSPFValidExistsMechanismMacro, testSPFBrokenExistsMechanismMacro
    • redirect: testSPFValidRedirectModifierMacro, testSPFBrokenRedirectModifierMacro
    • exp: testSPFValidExpModifierMacro, testSPFBrokenExpModifierMacro

Motivation

SPF macros (RFC 7208) allow for dynamic policy records. A static analyzer like checkdmarc cannot resolve these dynamic values. Attempting to do so leads to NXDOMAIN errors or meaningless queries (e.g., looking up %{i}.example.com). This change aligns the parser's behavior with the limitations of static analysis by validating the syntax without performing the impossible resolution.

[aharpour]

Hi Sean,

It turns out the previous pull request had a small bug: it was not incrementing the DNS lookup counts when macros were used. I’ve fixed that issue and created a new pull request. I also added assertions for DNS lookup counts in the unit tests to prevent regressions.

[aharpour]

Hi Sean,

I have done a full regression test and detected no regression.

[seanthegeek]

Hi. I'm working on adding detailed typing across the library (I'm not done yet), so there are now mere conflicts. Can you address these so I can merge this?

[Copilot]

Pull request overview

This PR enhances SPF record parsing in checkdmarc to correctly handle SPF macros (e.g., %{d}, %{i}). Previously, the parser attempted DNS lookups for mechanism values containing macros, which would fail since macros require runtime context to expand. The changes validate macro syntax while skipping DNS lookups, treating macro-containing mechanisms as statically unresolvable but syntactically valid.

Key changes:

• Added macro detection (% in value) for a, mx, include, ptr, exists mechanisms and redirect, exp modifiers
• Implemented syntax validation for all macros using existing _validate_spf_macros function
• Fixed critical bugs in exp modifier: corrected parentheses placement (len(exp_txt_records) == 0 instead of len(exp_txt_records == 0)) and added missing f-string prefixes

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
checkdmarc/spf.py	Added macro detection and DNS lookup skipping for mechanisms/modifiers; fixed bugs in exp modifier (parentheses and f-strings); mechanisms with macros still count toward DNS lookup limits per RFC 7208
tests.py	Added comprehensive test coverage for valid and invalid macro syntax across all mechanisms (a, mx, ptr, include, exists) and modifiers (redirect, exp); added DNS lookup count assertions to existing tests

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.