On Fri, 2005-03-18 at 15:05, Scott Kitterman wrote:
All I said was that it's
reasonable to want redundancy in your permitted senders.
I agree. It is reasonable. But it is also reasonable to expect big
providers to, if they are publishing, give accurate and exact SPF
records and describe their entire email sending infrastructure. This
may mean large, complex SPF records. People should do what they can to
work together and make it easier on each other (ISPs providing as
succinct records as possible, for example, or simplifying their network
layout), but in some cases this may not be possible if the services that
the ISP provides are wide ranging or complex or reliable, which may
require more complexity and length to describe.
Which is exactly why your 10 limit is way to low. If you said to per level
(i.e. 10 in my record and 10 in each record I include), then I'd be inclined
to see it as reasonable. You'd have to specify a maximum depth then...
Well, the limit of 10 isn't "mine". :) I agree that a "maximum include
depth" would be "better", but that is effectively just changing the
lookup limit to be higher (which might DOS receivers) -- there's still a
limit, such that if it is reached it would return some non-PASS result
when further evaluation might not. Even with this, you still have the
same problem where ISPs SHOULD limit the complexity of their records in
order to allow their customers to include them to some arbitrary depth.
I think someone else said this, but perhaps the suggested SPF deployment
for large ISPs with complex setups SHOULD use exists: or either list all
their outbound MX IPs and/or use a stunt DNS server. ISPs should,
presumably, be able to handle that increased load and maintenance of
these records, more so than their customers who may not be up for
running their own DNS, much less their own mail server.
Ah, here it is. Radu Hociung recently said it well in
<423B55B8(_dot_)8060604(_at_)ohmi(_dot_)org>, elsewhere in this thread.
ISPs typically have full control of their mail infrastructure
(ie, all SMTP servers are in their IP space). Thus, typically
ISPs should publish SPF records that are simply lists of IPs.
--
Andy Bakun <spf(_at_)leave-it-to-grace(_dot_)com>