Thanks for raising this question, CCC.

SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier. If this number is exceeded during a check, a PermError MUST be returned.

 

Does Smartermail enforce this?

 

If so does it log a specific error when SPF fails with a PermError due to excessive SPF recursion (as opposed to just logging an SPF failure)?

Looking for any updates on this as well. Ran into this today with a domain that is falling into this bucket.

 

https://tools.ietf.org/html/rfc4408#section-4.7

 

SmarterMail is showing a perm error on this spf record:

 

 

Note the missing "all" at the end. Every spf tool passes this record but SM is setting this to permfail. I'd like to know why it is perm failing.

Any updates on this or "still under consideration"?

It appears that a few other people are looking for some logging when SPF lookups fail due to the number of entries.  This appears to still be under consideration. 

 

I'm bumping the thread in hopes that others may chime in so that this may get some traction.  

I will bump this thread as well. Now since we implemented stricter policies on our SM install I am starting to see SPF failure messages in our logs. When I look up the SPF policy via MXToolbox the policy passes for said domain. My only work around for now is to change the scoring in my SPF check to a lower number. I had it set to 30 for Fail and also uncheck the option for Enable for SMTP blocking. That way I can be sure no other legitimate email gets blocked. I have seen a bunch of listings especially in the past 2 weeks since setting up our policies and most of them were indeed garbage domains. I did use Bruce's document as our guideline and appreciate the work Bruce put into the document for all of us. It was a big help in getting things configured properly.

 

Anyways, the log just shows _SPF(Fail) but gives no other reason why. We are running SM Version 14.5.5907 enterprise. Is this addressed in a newer build? Or is this something that is still a work in progress? I see this was brought up 2 years ago but haven't seen an update on this.

Checking this again. Still having this issue where SM thinks there is a spf perm error but it validates using every other tool we try. Can we get some additionally logging options on spf failures to see why they are failing?

Just to add to this again, the SPF perm errors that I saw in our log, I got a custom build from SM that had extra logging. What I found was the domains that failed had several SPF records specified and they were from different providers. So in turn  SM labelled them as perm errors. I did discuss with the dev team that logging like this really should be in SM permanently so as a server administrator we can troubleshoot issues like this. The dev did discuss this with management and it was placed on the feature board but no time frame was placed on this being implemented.

Adding spam check logging is something we have scheduled for a future 16 minor release, probably a 16.1 minor.  Initially it will contain logging for SPF checks, since a lot of debug logging we provide is for SPF checks, but it will grow to cover other spam checks when needed.

 

So keep an eye out for our next minor release and check the release notes.