Re: [spfbis] Fwd: RFC 7208 SPF - 4.6.4. DNS Lookup Limits increase
Scott Kitterman <spf2@kitterman.com> Mon, 25 April 2022 02:56 UTC
Return-Path: <spf2@kitterman.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 846033A1ACC for <spfbis@ietfa.amsl.com>; Sun, 24 Apr 2022 19:56:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, TVD_PH_BODY_ACCOUNTS_PRE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=+i//Dhec; dkim=pass (2048-bit key) header.d=kitterman.com header.b=dOdd2hz9
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B87b5JdW9QU1 for <spfbis@ietfa.amsl.com>; Sun, 24 Apr 2022 19:56:45 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66AA83A1AC9 for <spfbis@ietf.org>; Sun, 24 Apr 2022 19:56:45 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id DC43EF8023A for <spfbis@ietf.org>; Sun, 24 Apr 2022 22:56:39 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1650855399; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=dAIkXZh/JJ767Vw2D3F5kJxoKuX90zMq2RcWINNvIP8=; b=+i//Dhec1u5sJNTam8toHydHAtnSzjBA0HAdk1+PrZqufaaPQT98QFlPAYu+YnDgUhMBI EMbfQ1xQojMZx9OCA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1650855399; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=dAIkXZh/JJ767Vw2D3F5kJxoKuX90zMq2RcWINNvIP8=; b=dOdd2hz9RAvY5t1vEtSCPTsP0sSUuKT4IxULtC3VfiItHqu8ovRnFGVXKVYb3k4Mso9aJ aTdv9uDW2220V/YUtz7lJOLeElTIQuFmioG39xhNJs/z9t99jZ91ErPJMU7mOBhL7DbfEF6 vN0GwJ5ohBdPayBZtVf53tEFbZroYW4mkM/T9rBN3mEBkPt69UbbgbgY5kVTBOFsi3wkpmx OxjagwnuT1VcEqEEZ160OfRyUjYMhVle+TIziijYhXHLIftjqeljm+3cmZUNcMATt57uweF R7XgnKxzBNvrXGjwrAcYciKOfYrrfVCajAR7g4/5vQBlobrM5E6YF0w/o9Mg==
Received: from zini-1880.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id AB9DFF8009F for <spfbis@ietf.org>; Sun, 24 Apr 2022 22:56:39 -0400 (EDT)
From: Scott Kitterman <spf2@kitterman.com>
To: spfbis@ietf.org
Date: Sun, 24 Apr 2022 22:56:39 -0400
Message-ID: <82544731.azvFELPHag@zini-1880>
In-Reply-To: <CABi22cc9kTSti_HjyKO0XtdcGSXzjwUeqWs0bu_zoT9nBDTbnQ@mail.gmail.com>
References: <CABi22cdU=Fo0i5SZYsLFdYdby_QTahVK87K1LzMfbWG_T_fEkA@mail.gmail.com> <CABi22cc9kTSti_HjyKO0XtdcGSXzjwUeqWs0bu_zoT9nBDTbnQ@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/kOxuiOmFeG5A0ntKTsRmAK77A-M>
Subject: Re: [spfbis] Fwd: RFC 7208 SPF - 4.6.4. DNS Lookup Limits increase
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Apr 2022 02:56:51 -0000
As others have mentioned, there's no way to change this without substantial backward compatibility issues. As John suggested, if we were doing this today, we'd do it differently. Absent a general push for an SPF revision, it is what it is. There are a few other things I would suggest we change if we ever do a SPF v3, but without a significant level of community interest to develop and field it, I think it's not going to happen, so you have to find ways to live within the current limits. So far, whenever I've looked into specifics for someone I've always been able to find a way to do so. Worst case you use a DNS with an appropriate data base driven back-end and use exists: with macros. That can cover anything (although due to caching limitations it doesn't scale super well). Scott K On Friday, April 22, 2022 2:25:54 AM EDT Simon Gnieslaw wrote: > Sending here because I got not reply to this last year. > > ---------- Forwarded message --------- > From: Simon Gnieslaw <simon@gnieslaw.com> > Date: Tue, 16 Mar 2021 at 20:05 > Subject: RFC 7208 SPF - 4.6.4. DNS Lookup Limits increase > To: <scott@kitterman.com> > > > Hi there Scott, > I am just contacting you in regards to your RFC which was published. An > "Request for Comment" would mean that you actually want comments on it? I > have never commented on an RFC before so please excuse me if this is not > the correct procedure, please direct me to the right place if emailing you > directly is not the right way. > > Basically I just have a small issue with "4.6.4. DNS Lookup Limits" > limited to just 10 lookups. > > I have run across a major Australian ISP who has actually started enforcing > the limit of 10 to be able to send to their users, believe it or not. I > have never seen this enforced before, and they are standing by it because > technically that is the spec. > > Many online tools which check for SPF record validity don't even see > 10 > lookups as a problem (i.e. The Microsoft 365 DNS record checker) and all > the email services which I have come across before handle it without issue. > > I would suggest that the limit of 10 is too low of a number in 2021. > Consider that DNS servers and infrastructure is more robust now than what > it used to be, given increased computational power, and the rise of free > and paid DNS tools to offload the task on both client and server end such > as Google's Free DNS, Quad9, Cloudflare 1.1.1.1, OpenDNS, DNS-over-HTTPS, > and others, plus tools to host such as Cloudflare, Google Cloud Amazon > Route 53, Azure, and others, so we do not need to be as conservative with > the number of lookups as we used to be. > > Increasingly, more and more services are requiring addition of SPF records > to work properly, and they make a lot of use of the include: statements, as > they have to cover a diverse range of IP addresses in both ipv4 and ipv6 > and their servers become distributed, ephemeral, and subject to change. > > Systems include most notably Microsoft 365 and Google Workspace, and it is > common to require SPF records for both to be in place at once during a > transition or permanent split-delivery, plus a range of systems used for > newsletter sending (Mailchip, Sendgrid, etc.), transactional email sending > (i.e. have some Forum software installed or the website app itself), > Helpdesk software (i.e. Zendesk), Bookkeeping software (i.e. Xero, > QuickBook Online), CRM software (i.e. Salesforce), the list goes on and on, > including multiples of the same time during a transition or large > businesses with many departments. > > I would suggest some sort of update to that standard, perhaps something > along the lines of 10 lookups per root level include: and that each 3rd > party service should only provide one root level include: statement, to try > and keep them in check from going overboard. > > As many popular services use the same include: record, it shouldn't be too > hard for spam filters to Cache that include: if performance is an issue for > them. > > Minimum increase should be to 20, to account for doubling of records due to > ipv6. But realistically, if sites are to expand then I think that 100 is > more reasonable, especially if each root include: is limited to 10 sub > lookups then that would allow for 10 services to run off the one domain. > > What do you think? > > Kind Regards, > Simon Gnieslaw
- [spfbis] Fwd: RFC 7208 SPF - 4.6.4. DNS Lookup Li… Simon Gnieslaw
- Re: [spfbis] Fwd: RFC 7208 SPF - 4.6.4. DNS Looku… John Levine
- Re: [spfbis] Fwd: RFC 7208 SPF - 4.6.4. DNS Looku… John R Levine
- Re: [spfbis] Fwd: RFC 7208 SPF - 4.6.4. DNS Looku… Scott Kitterman
- Re: [spfbis] Fwd: RFC 7208 SPF - 4.6.4. DNS Looku… Simon Gnieslaw
- Re: [spfbis] Fwd: RFC 7208 SPF - 4.6.4. DNS Looku… Simon Gnieslaw
- Re: [spfbis] Fwd: RFC 7208 SPF - 4.6.4. DNS Looku… John R Levine
- Re: [spfbis] Fwd: RFC 7208 SPF - 4.6.4. DNS Looku… Måns Nilsson
- Re: [spfbis] Fwd: RFC 7208 SPF - 4.6.4. DNS Looku… John Levine