Sender Policy Framework

FAQ/DDoS

Given a large enough spam run, SPF becomes a DDoS attack against the forged domain!

Each SMTP MTA in a spam run may send a DNS query to the forged host's nameservers. At a million MTAs, that's 100 megabytes of traffic!

DNS queries are still smaller than bounce messages. And most SPF lookups can be cached; only the relatively uncommon "exists" mechanism doesn't benefit from caching (because it is usually used with macros, which make caching difficult).

Strict processing limits have been put in place to mitigate the risks associated with DNS loading from SPF.

Unless noted otherwise, all content on this website is dual-licensed under the GNU GPL v2 and the Creative Commons CC BY-SA 2.5.
The openspf.org domain name was donated by James Couzens, and related domain names by John Pinkerton. Thanks!

Sender Policy Framework

FAQ/DDoS

Given a large enough spam run, SPF becomes a DDoS attack against the forged domain!

The SPF Project

Documentation

Support