+1 to Mark's comments... Without discovery you'll never know if you're over the limits or not.
Setup a p=none policy, and see where the mail is coming from. You may need to update systems, or change some domains to use subdomains, or a different MailFrom: etc... but If massive global corporations like Disney, HP, and Oracle, can figure it out you can too. A lot of DMARC reporting services will likely offer some kind of SPF flattening as part of their services without extra cost. ~ MV On Wed, Jan 11, 2023 at 8:29 AM Mark Alley via mailop <mailop@mailop.org> wrote: > What makes you think you'd go over the limit if you haven't done the > discovery? You might be surprised that you may not exceed the lookup count, > as with optimization/analysis and proper SPF design (even without > flattening), the lookup count can be quite easily managed. This sounds like > a prime candidate for your mail source discovery with DMARC reporting > <https://dmarcvendors.com>. > > Using ?all (neutral) might be best for deliverability's sake while you > build out this SPF record during discovery. This would have the same effect > as your current scenario of having no SPF record, while still allowing for > positive matches of your legitimate known mail-flow until you get to a > point you move to ~all. > > - Mark Alley > On 1/11/2023 7:08 AM, Simon Burke via mailop wrote: > > All, > > This is an odd scenario, but sadly one I find myself in. > > Work is a large organisation, and currently does not have an SPF record. > The reason is that there are a large (and unknown) number of internal and > external parties that send mail on our domain, as well as sub-domains. > > So, even if we do determine who sends email on the domain, we would then > have an issue with max lookups and record length. > > I know we can use an SPF flattening service. However that either has a > cost. Or, although we can develop something in house, there's a 'bought not > built' ethos being pushed by management. > > As an out the box idea, what would the potential impact be of having an > SPF record stating just: > > "V=spf1 a mx +all" > > How bad of an idea would this be? If we also had a DMARC record set to > either quarantine or reject. > > Regards, > > Simon > > > > > > > _______________________________________________ > mailop mailing listmailop@mailop.orghttps://list.mailop.org/listinfo/mailop > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
