[Top] [All Lists]

[ietf-smtp] SPF DNS query limits

2016-05-23 09:52:51
In RFC 7208 section 4.6.4 we're told that the SPF implementation should limit the number of include, a, mx, ptr and exists to 10, and if that limit is exceeded then we MUST return a 'permerror' result.

1) is this limit of 10 for the whole evaluation process, or does it restart for each 'include'/'redirect'? I've presumed it's for the whole process otherwise the total number of DNS queries is effectively unlimited if you have many nested includes, and the purpose of that section seems to be to limit them.

2) Is this limit generally being stuck to by SPF evaluation functions?

The reason I ask is that our SPF implementation is regularly hitting this limit (eg one or two per minute on a low volume server).

For instance, we got a spam message claiming to come from (chosen at random from our incoming messages). That results in:

- - contains "a mx ptr" - so that's 4 already - - contains "" - so that's 5 - - contains "" - so that's 7 - - contains "" - that's 8
- - contains "a:..." - that's 9
- - contains "" - that's 10 - - contains "" - that's 11

(there are more includes after that, but our evaluator has given up by now. In fact, the source IP address was not listed on any of the SPF records, so would have resulted in a FAIL if it had got that far).

ietf-smtp mailing list