Are SPF records checked depth first or breadth first (or something else)

JohnLBevan

11/8/23, 3:26 PM

We have a domain which has 11 includes; so is failing SPF validation as it's gone over the limit. Most of the lookups are for third party resources, so flattenning the SPF record isn't ideal; we'd rather ensure that things are updated dynamically when the third parties update their records.

One of the lookups is a legacy value that we've not found documentation for; so we're not sure whether it's required... we're asking around before we remove it, but it's a large company with lots of cul-de-sacs and crevices in which requirement owners hide, so checking such things takes time.

We're thinking that having more than 10 lookups is only an issue for those records which exceed the 10th lookup; all values prior to that should succeed even if there are more in total. As such, if we can move the unknown lookup to the end that will reduce the risk of something we care about being impacted.

Is that assumption correct / do the first 10 SPF lookups work when there are more than 10 in total?
If so, what is the 11th record - i.e. are the lookups calculated breadth first, depth first, or is it not specified so depends on provider?

1 + 1

domain-name-system

spf

Patrick Mevzek

11/8/23, 3:50 PM

I wouldn't recommend you assume the order will be respected by all clients. You just can't control that. Maybe it will be respected, maybe it won't and each client can behave correctly. For example, some may decide to process `include` before anything else, or after everything else. It is true however that RFC7208 §4.6.1 says explicitely there is order: "A record contains an ordered list of these as specified in the following Augmented Backus-Naur Form (ABNF)."

Score:1

Server

glts

11/8/23, 3:36 PM

Yes, the lookup limit is evaluated ‘as you go’, that is depth-first. While this is not explicitly stated in the spec, it is implied by the evaluation algorithm.

In principle what you propose works. If the first ten lookups should yield the pass result for a legitimate sender, that sender will indeed get the pass result. However, anything past those ten lookups will evaluate to permerror, instead of the fail or softfail result mandated by any -all or ~all directive in your record.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Are SPF records checked depth first or breadth first (or something else)

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.