On Tue, 12 Mar 2024 at 00:01, Michael Peddemors via mailop <mailop@mailop.org> wrote: > save.ca descriptive text "v=spf1 ip4:70.33.236.0/25 mx a > include:sendgrid.net include:thestar.ca include:thestar.com > include:spf.google.com include:spf.protection.outlook.com > include:spf.yahoo.com include:spf.aol.com include:amazonses.com -all" > [...] > I assume someone that likes spamming set THAT one up.. there is a good > reason that SPF have a maximum DNS amount of queries..
Their record requires 35 DNS lookups to be completely evaluated :-) The "include:thestar.ca" alone uses 15 DNS lookups (I wonder if they suggest anyone to use this include or if this is a mistake from save.ca). Anything after include:thestar.ca (and also part of this included record) will be ignored and result in permerror, so their record equals to "v=spf1 ip4:70.33.236.0/25 mx a include:sendgrid.net include:thestar.ca -all". Maybe the RFC could have defined to return *fail* instead of permerror when you can detect the record will need more than 10 DNS lookups just looking at it (like this one: you don't even need to recurse into the includes to know this record requires more than 10 lookups). I don't think this is an indicator of a spammy sender: spammer are usually good at understanding how to propertly authenticate their emails. I saw similar SPF records with too many lookup and invalid hosts in many domains where the sysadmin probably saw a couple of SPF records and thinks he master SPF and fixes any deliverability issues by adding new include there, as it worked the first time. Stefano _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
