Greetings. I have a dummy domain for DNS records testing - 'edrc.top', with the following SPF test record: v=spf1 mx ptr include:_spf.google.com include:spf.smtp2go.com -all
What would be the correct number of DNS lookups (queries) that will be performed during SPF record parsing at the time of validating sender IP - 7, 11 or 12 ? Different online SPF checkers show different results. Majority of them, like these 2, show 7 lookup https://easydmarc.com/tools/spf-lookup/edrc.top?domain=edrc.top https://dmarcian.com/spf-survey/?domain=edrc.top another 2 tools show 11 lookups *https://www.spf-record.com/spf-lookup/edrc.top <https://www.spf-record.com/spf-lookup/edrc.top>https://www.mailhardener.com/tools/spf-validator?domain=edrc.top <https://www.mailhardener.com/tools/spf-validator?domain=edrc.top>* and this one shows 12 lookups *https://www.dmarcanalyzer.com/spf/checker/?dmarcdns%5Btype%5D=spf&dmarcdns%5Bdomain%5D=edrc.top <https://www.dmarcanalyzer.com/spf/checker/?dmarcdns%5Btype%5D=spf&dmarcdns%5Bdomain%5D=edrc.top>* referring to following 2 sections of SPF's RFC I tend to agree that last tool is most accurate and there are indeed 12 DNS lookups - 1 for MX - 5 for retrieved MX hostnames' A lookups - 1 for void PTR lookup - 4 for Google include - 1 for smtp2go include *MX mechanism* -* https://datatracker.ietf.org/doc/html/rfc7208#section-5.4 <https://datatracker.ietf.org/doc/html/rfc7208#section-5.4>* This mechanism matches if <ip> is one of the MX hosts for a domain. Then it performs an address lookup on each MX name returned. The <ip> is compared to each returned IP address. *DNS Lookup Limits -** https://datatracker.ietf.org/doc/html/rfc7208#section-4.6.4 <https://datatracker.ietf.org/doc/html/rfc7208#section-4.6.4>* When evaluating the "mx" mechanism, the number of "MX" resource records queried is included in the overall limit of 10 mechanisms/modifiers that cause DNS lookups as described above. In addition to that limit, the evaluation of each "MX" record MUST NOT result in querying more than 10 address records -- either "A" or "AAAA" resource records. If this limit is exceeded, the "mx" mechanism MUST produce a "permerror" result. However when I ran another check and sent email to various mailbox providers (Gmail, Yahoo, Outlook, iCloud, Zoho, etc) from 'smtp2go' source, which IP is covered by last,12th (according to dmarcanalyzer.com tool) lookup, all recipient mailbox providers put "spf=pass" in received email header. So, looks that mailbox providers count MX mechanism as 1 lookup (no matter how many hostnames MX record resolves to) and dmarcanalyzer.com tool lookup check have nothing with reality, Could you help with understanding how many DNS queries are being run for the MX mechanism ? Thank you, *Alexander*
_______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
