2RFC 7208, "Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1", April 2014
3Source of RFC: spfbis (app)
9Publication Format(s) : TEXT
10Reported By: Benjamin Schwarze
11Date Reported: 2021-06-03
15As described at the end of Section 11.1, there may be cases where it
16is useful to limit the number of "terms" for which DNS queries return
17either a positive answer (RCODE 0) with an answer count of 0, or a
18"Name Error" (RCODE 3) answer. These are sometimes collectively
19referred to as "void lookups". SPF implementations SHOULD limit
20"void lookups" to two. An implementation MAY choose to make such a
21limit configurable. In this case, a default of two is RECOMMENDED.
22Exceeding the limit produces a "permerror" result.
25-- Addition to the original paragraph --
27ADMDs should be aware that the void lookup limit can easily be exceeded by using sender-specific macros ("s", "l", "o", "i", "h") in more than 2 terms.
29The following example will lead to an permerror in the most implementations if the <ip> is not found in any of the lists:
30 v=spf1 exists:%{ir}.list1.example.net exists:%{ir}.list2.example.net exists:%{ir}.list3.example.net -all
34In addition to the above suggestion, I still see a contradiction between the "void lookup limit" and the "exists" mechanism. The functionality of "exists" includes (in my opinion) the negative response (RCODE 3). But the "void lookup limit" allows this to occur only twice. This limits the use of "exists" very much.
36Admittedly: I have no good idea how to solve this. :-)