spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] PermError: Too many DNS lookups at Microsoft.com

2006-05-06 12:21:23
from [Scott Kitterman] [Permanent Link] 
On 05/06/2006 15:10, Hector Santos wrote:

typo correction:

----- Original Message -----
From: "Hector Santos" <winserver(_dot_)support(_at_)winserver(_dot_)com>


While I agree MS should clean up the record, I think you will run more
issues like this as bigger companies get on board.  This has place an
artificial limit on thier operation.

Basically what it tells the big companies:

     You can only have 10 different domains to lookup and if you
     can structure your SPF network as such, then SPF is not for
     your because SPF verifiers are going to see you as a PERM ERROR"


That should say:

     "You can only have 10 different domains to lookup and if you
      CAN'T structure your SPF network as such, then SPF is not for
      you because [NEW?] SPF verifiers are going to see you as a PERM
      ERROR."


Actually what it says (in my opinion) are two things:

1.  SPF processing limits are tight enough that you can use SPF without 
worrying to much about denial of service attacks based on large records (this 
threat got a lot of discussion on the list and was the source of the revised 
approach to processing limits).

2.  If you are a big enough provider for the complexity of your record to 
cause problems with the limits, you need to use more ip4: mechanisms in your 
records.  If you're mail sending is complex enough to cause a problem, you 
know enough to enumerate your sending sources by IP address.

There is no actual limit based on the processing limits, just the ones that 
cause DNS lookups.

When the new limits were published, my ISP at the time had a record that was 
right at the limits (10 lookups).  As soon as I included it, I broke the 
limit.  I explained this to them and they converted their record to one more 
focused on IP4: mechanisms and all was well.

It's different, but not all bad.

The 10 lookup limit is a MUST in RFC 4408.  Do it however you want, but don't 
claim to have implemented the RFC if you do it differently :).

Scott K

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] PermError: Too many DNS lookups at Microsoft.com, Hector Santos
Next by Date:  [spf-discuss] SPF mailing lists being abused, Julian Mehnle
Previous by Thread:  Re: [spf-discuss] PermError: Too many DNS lookups at Microsoft.com, Hector Santos
Next by Thread:  [spf-discuss] Re: PermError: Too many DNS lookups at Microsoft.com, Julian Mehnle
Indexes:  [Date] [Thread] [Top] [All Lists]