quote from draft:
If a loop is detected, or if more than 20 subqueries are triggered,
an SPF client MAY abort the lookup and return the result "unknown".
Isn't this way too relaxed?
If you use SPF to protect the trust in your domain, it is important that
a small misconfiguration doesn't result in a lost SPF protection.
Therefore, I must admit that I've changed my mind - I no longer think
that "unknown" is the correct answer if too many subqueries are
triggered.
For instance, if your spf record looks like this:
v=spf1 a:my.mail.server include:this.other.guys.mailsystem -all
and this other guy isn't too good at specifying his SPF record, you
might end up having SPF filters return "unknown", even though you want
all other e-mails but those from your own server to fail.
I think that the correct fallback to the above would be:
v=spf1 a:my.mail.server -all
In other words, the draft should be changed to:
"If a loop is detected, or if more than 20 subqueries are triggered,
an SPF client should ignore further subqueries and proceed to
Interpret the rest of the SPF record without the subqueries."
An alternative could be:
"If a loop is detected, or if more than 20 subqueries are triggered,
an SPF client should find out the worst possible outcome without
doing more subqueries and return this."
This would enable people to choose, if the default should be ?all or
-all. A third one could be to enable a default setting. But since the
last item in an SPF record is essentially already the default setting, I
think that this should be used.
Lars.