IETF Logo Mail Archive

[spfbis] Fwd: RFC 7208 SPF - 4.6.4. DNS Lookup Limits increase

Simon Gnieslaw <simon@gnieslaw.com> Fri, 22 April 2022 06:27 UTC

Return-Path: <simon@gnieslaw.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAA2D3A07A7 for <spfbis@ietfa.amsl.com>; Thu, 21 Apr 2022 23:27:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TVD_PH_BODY_ACCOUNTS_PRE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gnieslaw.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZzbUeecbnntX for <spfbis@ietfa.amsl.com>; Thu, 21 Apr 2022 23:26:58 -0700 (PDT)
Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A7D53A07A9 for <spfbis@ietf.org>; Thu, 21 Apr 2022 23:26:57 -0700 (PDT)
Received: by mail-ej1-x629.google.com with SMTP id y10so14337543ejw.8 for <spfbis@ietf.org>; Thu, 21 Apr 2022 23:26:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gnieslaw.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=IpZU7Yyld7Ge57cXtD4uHG1lVpmaji2nry7SUkTCIPQ=; b=E0LO4tzRhcURw8fJo673j2oayAgV6BgEjCLJoilKO7Jd/CdVw/SZeDy6z8lzx4Azyy HdI2+IEEs60esdgOMYG5K0ZIzLyp9Tfe9q6BSiVvt5WT85qkkqsUL9U+EzFwgZl55myh vSPJAJMRADzD9fZClEYov2I8OlyLBKchbhJHgIz/tigoHQfIQlHO6Bhla8ZVGx5zUsS0 ldnAl35uO8dNxDTOxu2lpCDNe7cOe50HVVx9LmNlJIx7YycSQTzdzuw2tMRIZZC5aabA nNTk3rH/S9/pp2Ql5R7Fb0UPFR14wo7Juv5lijLVESNNXir6yWXdK98vWI4g8+qO8VYy cLJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=IpZU7Yyld7Ge57cXtD4uHG1lVpmaji2nry7SUkTCIPQ=; b=QEnmZHwfF40uYInLA8eeIopoFS/bJNfchxEkYkgypCReY4+vwkqMwJgzQh1l1s32GQ p7AMlZnv8J/slDgxCE4Sf7upaVCsbCfNvTJKyzKmaujjI+oHYi9wdi6kWmtt8fJsYV8g lObXx56jEWyfMHItT7XleqX7+qRIXZL/lo79XrIw8dUv7AbvVHoka24E1AcMIJJg1J55 lNG0T2nXBF9IxSd76PgwzBz7ImUZs/a/Hyi4ZsE7a+Yh9wwlAvLUJ2Ips4H3b0UHdPx4 IVK16WKk+YXF6BnwQDO5/Kh1PF4+53RFafyyBYq9lJLTbn7O4Ku1Cz5e6Gqc0i1zFrIX VTMQ==
X-Gm-Message-State: AOAM5319jyaFN+TbBmu/RYIdHxRYa7mliZ1cejt9tMaroGjGbKqnxvHP im6stlYYtnCzhS1KK3LvFDYscUpV54Ay8XLP2O6pUBtGlvhUdQ==
X-Google-Smtp-Source: ABdhPJwCpwou7xlvOD6e1kEeH/g/rzjstyJ7QBrZEbSvZgjp8WC0PLA9Ee4e47M89daru0JKkN1YABKmgRVYYWjNQC8=
X-Received: by 2002:a17:907:a421:b0:6e8:d248:f877 with SMTP id sg33-20020a170907a42100b006e8d248f877mr2560935ejc.249.1650608815830; Thu, 21 Apr 2022 23:26:55 -0700 (PDT)
MIME-Version: 1.0
References: <CABi22cdU=Fo0i5SZYsLFdYdby_QTahVK87K1LzMfbWG_T_fEkA@mail.gmail.com>
In-Reply-To: <CABi22cdU=Fo0i5SZYsLFdYdby_QTahVK87K1LzMfbWG_T_fEkA@mail.gmail.com>
From: Simon Gnieslaw <simon@gnieslaw.com>
Date: Fri, 22 Apr 2022 16:25:54 +1000
Message-ID: <CABi22cc9kTSti_HjyKO0XtdcGSXzjwUeqWs0bu_zoT9nBDTbnQ@mail.gmail.com>
To: spfbis@ietf.org
Content-Type: multipart/alternative; boundary="000000000000218ed405dd38506c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/iavrZhJi-teG4G-sQg0tdZX9L8Y>
X-Mailman-Approved-At: Sun, 24 Apr 2022 08:08:36 -0700
Subject: [spfbis] Fwd: RFC 7208 SPF - 4.6.4. DNS Lookup Limits increase
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Apr 2022 06:32:54 -0000

Sending here because I got not reply to this last year.

---------- Forwarded message ---------
From: Simon Gnieslaw <simon@gnieslaw.com>
Date: Tue, 16 Mar 2021 at 20:05
Subject: RFC 7208 SPF - 4.6.4. DNS Lookup Limits increase
To: <scott@kitterman.com>


Hi there Scott,
I am just contacting you in regards to your RFC which was published. An
"Request for Comment" would mean that you actually want comments on it? I
have never commented on an RFC before so please excuse me if this is not
the correct procedure, please direct me to the right place if emailing you
directly is not the right way.

Basically I just have a small issue with "4.6.4.  DNS Lookup Limits"
limited to just 10 lookups.

I have run across a major Australian ISP who has actually started enforcing
the limit of 10 to be able to send to their users, believe it or not. I
have never seen this enforced before, and they are standing by it because
technically that is the spec.

Many online tools which check for SPF record validity don't even see > 10
lookups as a problem (i.e. The Microsoft 365 DNS record checker) and all
the email services which I have come across before handle it without issue.

I would suggest that the limit of 10 is too low of a number in 2021.
Consider that DNS servers and infrastructure is more robust now than what
it used to be, given increased computational power, and the rise of free
and paid DNS tools to offload the task on both client and server end such
as Google's Free DNS, Quad9, Cloudflare 1.1.1.1, OpenDNS, DNS-over-HTTPS,
and others, plus tools to host such as Cloudflare, Google Cloud Amazon
Route 53, Azure, and others, so we do not need to be as conservative with
the number of lookups as we used to be.

Increasingly, more and more services are requiring addition of SPF records
to work properly, and they make a lot of use of the include: statements, as
they have to cover a diverse range of IP addresses in both ipv4 and ipv6
and their servers become distributed, ephemeral, and subject to change.

Systems include most notably Microsoft 365 and Google Workspace, and it is
common to require SPF records for both to be in place at once during a
transition or permanent split-delivery, plus a range of systems used for
newsletter sending (Mailchip, Sendgrid, etc.), transactional email sending
(i.e. have some Forum software installed or the website app itself),
Helpdesk software (i.e. Zendesk), Bookkeeping software (i.e. Xero,
QuickBook Online), CRM software (i.e. Salesforce), the list goes on and on,
including multiples of the same time during a transition or large
businesses with many departments.

I would suggest some sort of update to that standard, perhaps something
along the lines of 10 lookups per root level include: and that each 3rd
party service should only provide one root level include: statement, to try
and keep them in check from going overboard.

As many popular services use the same include: record, it shouldn't be too
hard for spam filters to Cache that include: if performance is an issue for
them.

Minimum increase should be to 20, to account for doubling of records due to
ipv6. But realistically, if sites are to expand then I think that 100 is
more reasonable, especially if each root include: is limited to 10 sub
lookups then that would allow for 10 services to run off the one domain.

What do you think?

Kind Regards,
Simon Gnieslaw

v2.23.0 | Report a Bug | By Email