On Wed, May 19, 2021 at 1:08 PM John Levine via dmarc-discuss < dmarc-discuss@dmarc.org> wrote:
> It appears that Alexander NAZARIAN via dmarc-discuss < > alexander.nazar...@gmail.com> said: > >So I want to understand whether having MX placed in the beginning of SPF > >record can cause a quicker reach of '10 DNS lookup limitation' for G Suite > >senders, due to the reason that G Suite has 5 MX records (and I assume > that > >number of DNS queries, executed to resolve MXes to IPs, is 6 and not 1) > > I think he already answered that question. Different implementations > of SPF interpret the counting rule differently, so if you want your > mail delivered, assume that they will use the largest count. If you > are checking else's mail, use the smallest count. This is the well > known robustness principle about interpreting ambiguous specs. > > This particular case has not come up in the past because, in practice, > the only sites that use "mx" are tiny sites with a single mail host > with a single address. It doesn't make a lot of sense for secondary MX > hosts to be sending mail for someone's domain. > > I also think that some of the advice about limits in 7208 is not very > good. For example. > you are likely to get different NOERROR counts evalating an ipv4 address > than evaluating > an ipv6 addresss since there are lots of hosts with A records but no AAAA. > I think the limits in the RFC are overly restrictive... as a receiver, I don't see any issue with having a much higher limit, you waste fairly minimal resources in that regard... there may be an issue in the large as a DoS type attack, but as a larger provider you might benefit more from weighted throttling of requests or more general DoS-style protections. At least at one point we definitely saw enough senders requiring too many lookups that we cared more about trying to find a positive evaluation than downside from doing more. Brandon
_______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
