My read of RFC 4408 is that the limit excludes the initial txt record
lookup, and that the limit on includes is separate from the limit on "a"
and "ptr" lookups.
Seems clear enough to me that "a" and "ptr" count:
SPF implementations MUST limit the number of mechanisms and modifiers
that do DNS lookups to at most 10 per SPF check, including any
lookups caused by the use of the "include" mechanism or the
"redirect" modifier. If this number is exceeded during a check, a
PermError MUST be returned. The "include", "a", "mx", "ptr", and
"exists" mechanisms as well as the "redirect" modifier do count
against this limit. The "all", "ip4", and "ip6" mechanisms do not ...
We're in the process of doing an update to 4408 and the new version is
slightly clearer, although the rule is unchanged:
4.6.4. DNS Lookup Limits
SPF implementations MUST limit the total number of mechanisms and
modifiers ("terms") that cause any DNS query to at most 10 during SPF
evaluation. Specifically, the "include", "a", "mx", "ptr", and
"exists" mechanisms as well as the "redirect" modifier count against
this collective limit. The "all", "ip4", and "ip6" mechanisms do not
count against this limit. If this number is exceeded during a check,
a permerror MUST be returned. The "exp" modifier does not count
against this limit because the DNS lookup to fetch the explanation
string occurs after the SPF record evaluation has been completed.
When evaluating the "mx" mechanism, the number of "MX" resource
records queried is included in the overall limit of 10 mechanisms/
modifiers that cause DNS look ups described above. The evaluation of
each "MX" record MUST NOT result in querying more than 10 "A"
resource records. If this limit is exceeded, the "mx" mechanism MUST
produce a "permerror" result.
When evaluating the "ptr" mechanism or the %{p} macro, the number of
"PTR" resource records queried is included in the overall limit of 10
mechanisms/modifiers that cause DNS look ups described above. The
evaluation of each "PTR" record MUST NOT result in querying more than
10 "A" resource records. If this limit is exceeded, all records
other than the first 10 MUST be ignored.
The reason for the disparity is that the set of and contents of the
MX record are under control of the domain owner, while the set of and
contents of PTR records are under control of the owner of the IP
address actually making the connection.
These limits are per mechanism or macro in the record, and are in
addition to the lookup limits specified above.
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
