I administer email for a few clients of mine, using Postfix. One of the
policies that is in place is SPF-checking, and rejecting messages
accordingly. This has been working well for months.
However, today a user called me to complain that they weren't able to
get confirmed with PayPal to set up a new account. Turns out, SPF was
rejecting the email from PayPal because of "Too many DNS lookups". This
was somewhat surprising as I had been expecting the problem to be with
my greylisting setup.
I took a look at PayPal's SPF structure and it is indeed a big mess -
lots of includes, and those includes have lots of hosts and mx records,
etc.
I helped the user by temporarily disabling all SPF checking and then
reenabling it after the user got confirmed, but I was wondering if there
is an elegant way to tell postfix to "ignore the going over MAX_LOOKUPS"
for ("paypal.com",). I guess this would involve modifying policyd-spf.py?
I took a look at the source spf.py, and see where these values are
hardcoded, complete with references to the RFC, and I don't want to
modify those hardcoded values. I also don't want to disable SPF as the
final layer of policy checking on my mail server. But, I have to
recognize that companies like PayPal are big players, and I'm probably
not going to get them to budge by complaining, so I should try to
accommodate their messy setups as much as possible, as my users are
nearly always right.
Anyone been down this road before and can offer tips/advice? I did
google for relevant strings, but didn't come up with anything that
appeared to address this specific problem.
--
pkm ~ http://paulmcnett.com
