2RFC 7208, "Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1", April 2014
 
3Source of RFC: spfbis (app)
 
9Publication Format(s) : TEXT
 
10Reported By: Benjamin Schwarze
 
11Date Reported: 2021-06-03
 
15As described at the end of Section 11.1, there may be cases where it
 
16is useful to limit the number of "terms" for which DNS queries return
 
17either a positive answer (RCODE 0) with an answer count of 0, or a
 
18"Name Error" (RCODE 3) answer.  These are sometimes collectively
 
19referred to as "void lookups".  SPF implementations SHOULD limit
 
20"void lookups" to two.  An implementation MAY choose to make such a
 
21limit configurable.  In this case, a default of two is RECOMMENDED.
 
22Exceeding the limit produces a "permerror" result.
 
25-- Addition to the original paragraph --
 
27ADMDs should be aware that the void lookup limit can easily be exceeded by using sender-specific macros ("s", "l", "o", "i", "h") in more than 2 terms.
 
29The following example will lead to an permerror in the most implementations if the <ip> is not found in any of the lists:
 
30  v=spf1 exists:%{ir}.list1.example.net exists:%{ir}.list2.example.net exists:%{ir}.list3.example.net -all
 
34In addition to the above suggestion, I still see a contradiction between the "void lookup limit" and the "exists" mechanism. The functionality of "exists" includes (in my opinion) the negative response (RCODE 3). But the "void lookup limit" allows this to occur only twice. This limits the use of "exists" very much.
 
36Admittedly: I have no good idea how to solve this. :-)