Friday, 28 August 2015

SPF maximum DNS lookups

To prevent DNS amplification attacks where a sender has configured an SPF record that requires a large number of DNS lookups, there is a limit set on the number of DNS lookups that can be required to process an SPF record. RFC 7208 states the below:

"SPF implementations MUST limit the total number of those terms to 10 during SPF evaluation, to avoid unreasonable load on the DNS. If this limit is exceeded, the implementation MUST return "permerror"."

DNS lookups are required each time you use the mx, a, ptr or include mechanisms in your SPF record. To reduce the number of lookups required, use the ip4 or ip6 mechanisms. If you have a large number of IPs then look at specifying subnets rather than each IP individually.

No comments:

Post a comment