Home | Sitemap | Recent Changes | Login

SPF Logo

Sender Policy Framework

FAQ/DDoS

Given a large enough spam run, SPF becomes a DDoS attack against the forged domain!

Each SMTP MTA in a spam run may send a DNS query to the forged host's nameservers. At a million MTAs, that's 100 megabytes of traffic!

DNS queries are still smaller than bounce messages. And most SPF lookups can be cached; only the relatively uncommon "exists" mechanism doesn't benefit from caching (because it is usually used with macros, which make caching difficult).

Strict processing limits have been put in place to mitigate the risks associated with DNS loading from SPF.


Edit text of this page | View other revisions
Last edited 2006-12-10 16:06 (UTC) by Julian Mehnle (diff)