No, not the levels should be limited, but the total number of includes
and
redirects.
I totally agree that there should be a limit on the number of DNS
lookups necessary to look up SPF records, stated in the specification -
otherwise somebody else might introduce limits in the implementations.
A low limit is fast and can always be raised in later specs.
A high limit is slow but ensures full flexibility.
If a limit is set, the arguments could be like:
10000: I cannot imagine a situation where more would be needed, it
should cover everything. It would take a long time to look up 10000 DNS
records, though.
100: Covers most situations.
5: If more than 5 are needed, major mail service providers might not
want to look up more anyway.
Instead of specifying a limit, the specification can also specify what
to do, in case an implementation chooses to set a limit. Personally I
would say, that an implementation should return "unknown", if the number
of DNS lookups required to evaluate an SPF record fully is above the
limit set by the sysadmin. The sysadmin on a low traffic server would
then probably go for an 10000 limit, and the sysadmin on a high traffic
server might go for a limit of 100.
Lars.