Stuart D. Gathman wrote:
the spec says that at least 10 calls to check_host() must
be supported (limiting recursion via redirect and include),
Some text about "at least 10 evaluations of check_host()" was
in draft-lentczner-spf-00. But in draft-schlitt-spf-classic-00
as discussed by the IESG, and declared to be the official draft
by the elected SPF Council, it is:
| SPF implementations MUST limit the number of mechanism that
| do DNS lookups to at most 10, if this number is exceeded, a
| PermError MUST be returned. The mechanisms that count
| against this limit are "include", "a", "mx", "ptr", "exists"
| and the "redirect" modifier.
It _is_ obvious that a user trying to "include" 3 ISPs and his
own "a" and "mx" in his sender policy already uses 5 out of 10.
This leaves 5 / 3 = about 1 DNS-mechanism per included ISP, and
and otherwise any SPF "wizard" or "validator" with 10 or more
digits should cry FOUL.
We've discussed this for months here, we joked about spf.pobox
where per-user-policies were limited to 0 (zero) mechanisms,
and so far the most serious objections against this limit were
Radu's attempts to make it more restrictive.
Hell, I wanted one overall DNS query limit and counter. Nobody
supported it, therefore Wanye did the smart thing and simply
documented what his implementation does, and not what I think
is simpler and more flexible.
This is nothing you can change every two months. It's really
IMPORTANT, it could BREAK existing policies, and if we want to
break existing policies we could also support senderid-core :-(