Re: Re: rr.com and SPF records2005-03-18 11:58:08
The reason why expensive records exist out there is because no/little thought was given to making them less expensive yet. The ability to publish SPF records has been well publicised, but there was never enouragement to publish responsibly. It's a new technology, so it is being misused in its first years. I think this is to be expected, but the technology should not be adjusted to allow the continued misuse.
Due to the fact that very few places are checking the published SPF records, we haven't yet seen the true cost of the existing SPF records.
There are many ways for a publisher to put out less expensive records, so I won't re-enumerate them here.
I am very close to releasing the spfcompile optimizer, which will allow a record to be reduced to under 2 lookups for most domains. I think 2 lookups or less should be the norm.
The handy option -flatten on spfcompile allows a record to be completely flattened to a list of IPs. Without the -flaten, only queries that are under the same administrative control will be converted.
Also, I have recently started to make measurements for how much new traffic SPF is responsible for. In a few weeks I will have meaningful stats. I would encourage others to make the same measurements.
Based on a couple of days statistics, my SMTP-related DNS traffic exceeds that of mail transfered by a factor of 2. This is possible in part due to the fact I run a challenge-response system, so the vast ammounts of spam are not transfered, and thus not counted as SMTP traffic. The EHLO/MAIL FROM/RCPT handshake is counted as SMTP traffic, though.
I would encourage others to make some measurements of their SMTP-related DNS traffic, and try to isolate the SPF-specific traffic.
Greetings, Radu Stuart D. Gathman wrote:
On Fri, 18 Mar 2005, Frank Ellermann wrote:ISPs should limit the number of lookups to 9 or 8 so that a customer could use "include:ISP.com". Is this noted as a SHOULD in the spec?No, it's kind of obvious, and you could bypass restrictions by copying parts of the sender policy instead of an "include". Not good enough for some per-user policy tricks, and to copy policies of 3rd parties is a PITA, so I hope that ISPs try to limit their use of DNS-mechanisms and redirect=. And I do hope that the next generation of SPF wizards and validatorscan count to ten.IMHO, the limit of 10 is too low. I think it should be at least 20, and perhaps as high as 50. (I count DNS lookups.) I initially had the limit set to 10, but a significant number of otherwise reasonable policies were hitting the limit. So I raised it to 20. Much better, but still a few hitting the limit. I raised it to 50, and rr.com was the first to hit the limit in some time. I agree that the old rr.com policy was too complex. But I still think 10 is too low.
------- Sender Policy Framework: http://spf.pobox.com/ Archives at http://archives.listbox.com/spf-discuss/current/ Read the whitepaper! http://spf.pobox.com/whitepaper.pdfTo unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com