The recursive lookups in that SFP record come to 14 according to my checking.

 

vuw.ac.nz            IN           TXT         v=spf1 ip4:130.195.81.0/24 ip4:130.195.86.0/24 ip4:202.36.141.0/24 ip4:216.235.196.0/22 ip4:216.235.200.0/21 include:mcs.vuw.ac.nz include:mailprimer.com include:_spf.learningsourceapp.com include:spf.messaging.microsoft.com ~all

 

         include:mcs.vuw.ac.nz

o   mx

         include:mailprimer.com

o   include:mailprimer.net.nz

  include:mailprimer.co.nz

  include:mailprimer.com

         include:mailprimer.net.nz (loop?)

         include:_spf.learningsourceapp.com

o   include:sendgrid.net

  include:sendgrid.biz

         include:spf.messaging.microsoft.com

o   include:spfa.frontbridge.com

o   include:spfb.frontbridge.com

o   include:spfc.frontbridge.com

 

And in answer to your questions it would be the Vic mail admin or DNS maintainer that needs to look at this.

 

From: nznog-bounces@list.waikato.ac.nz [mailto:nznog-bounces@list.waikato.ac.nz] On Behalf Of Don Gould
Sent: Monday, September 10, 2012 1:06 PM
To: Scott Howard
Cc: nznog
Subject: Re: [nznog] Vic Uni Mail Admin about? SPF rec issue...

 

Hi Scott,

Sorry if I'm being blond, but that didn't answer my question.

I am trying to figure out where to point the finger and I don't understand enough of what you posted for me to understand if this is my problem as the mail admin or the vic mail admin?

I don't have a function to just whitelist the uni, so if people think that tinyspf is not working correctly then I'll just stop using it.

Sorry that my initial question was not very clear.

D


On 10/09/2012 12:52 p.m., Scott Howard wrote:

On Sun, Sep 9, 2012 at 5:44 PM, Don Gould <don@bowenvale.co.nz> wrote:

2.  Should I be doing something to change my config or do others feel that the vuw spf record is to wide?


From http://tools.ietf.org/html/rfc4408#section-10.1 :

   SPF implementations MUST limit the number of mechanisms and modifiers
   that do DNS lookups to at most 10 per SPF check, including any
   lookups caused by the use of the "include" mechanism or the
   "redirect" modifier.  If this number is exceeded during a check, a
   PermError MUST be returned.  The "include", "a", "mx", "ptr", and
   "exists" mechanisms as well as the "redirect" modifier do count
   against this limit.  The "all", "ip4", and "ip6" mechanisms do not
   require DNS lookups and therefore do not count against this limit.
   The "exp" modifier does not count against this limit because the DNS
   lookup to fetch the explanation string occurs after the SPF record
   has been evaluated.


  Scott




-- 
Don Gould
31 Acheson Ave
Mairehau
Christchurch, New Zealand
Ph: + 64 3 348 7235
Mobile: + 64 21 114 0699