Radu Hociung wrote:
Do you see a problem with accumulating query counts across
the entire SPF record evaluation process ?
If all conforming implementations use the same limits, it's
fine, they would then agree on a "Permerror" for the sender
policy. It's even possible to integrate these limits in a
"SPF validator" or "SPF setup wizard".
If different implementations use different limits it's a
royal PITA, sometimes the Sender get's a PermError, but
with other recipients the very same IP has other results.
spf-classic-00 has three limits: Up to 10 DNS mechanisms
(a / ptr / mx / include / exists / redirect=), counted
over the complete evaluation, that's a MUST.
Each mx / ptr / %p has its own limit of 10 MXs or 10 PTRs,
also a MUST. If you _add_ all MX queries for different
mx mechanisms, you get completely different results.
IMHO that's a very bad idea. In Stuart's example you get
a PermError for or after the include:southeast.rr.com, but
a conforming implementation would continue its evaluation
up to include:rdc-kc.rr.com (see my parallel reply). Bye.