On Fri, 18 Mar 2005, Frank Ellermann wrote:
ISPs should limit the number of lookups to 9 or 8 so that a
customer could use "include:ISP.com". Is this noted as a
SHOULD in the spec?
No, it's kind of obvious, and you could bypass restrictions
by copying parts of the sender policy instead of an "include".
Not good enough for some per-user policy tricks, and to copy
policies of 3rd parties is a PITA, so I hope that ISPs try
to limit their use of DNS-mechanisms and redirect=. And I do
hope that the next generation of SPF wizards and validators
can count to ten.
IMHO, the limit of 10 is too low. I think it should be at least 20,
and perhaps as high as 50. (I count DNS lookups.) I initially had the limit
set to 10, but a significant number of otherwise reasonable policies
were hitting the limit. So I raised it to 20. Much better, but
still a few hitting the limit. I raised it to 50, and rr.com was the
first to hit the limit in some time. I agree that the old rr.com policy
was too complex. But I still think 10 is too low.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.