I set up SPF for one of my subdomains to stress test systems that
check SPF on incoming mail. (You know, running code to go with the
rough consensus.) You can try them yourself on any subdomain of
slow.sp.am, e.g. yourname.slow.sp.am. The extra level of name makes
it easier for me to tell from the DNS server logs what the sequence of
requests for each message is, of someone's wondering what his system
asked as it did the checks.
I believe all of the SPF records are syntactically and semantically
valid, and they're all well within both the limits of the SPF spec and
the implementation limits in the perl reference code. They do nested
includes 10 deep and do a few MX lookups, and correctly list the hosts
from which <whatever>.slow,sp.am mail might be sent. Responses fit in
512 byte UDP DNS packets unless you use a really long subdomain name.
If you'd be willing to see how your SPF implementation does, either
tell it to check any subdomain of slow.sp.am, or I can send you mail
and see how your MTA deals with it and you can write back, since the
addresses are real. The SPF checks are likely to take an hour or more
per message, even though everything is well within the 15 second
timeout that the reference SPF code enforces.
The point of this is that we all expect bad guys to publish hostile
MARID records, so we might as well find out now how much trouble
that's going to cause.
Regards,
John Levine, johnl(_at_)taugh(_dot_)com, Taughannock Networks, Trumansburg NY
http://www.taugh.com