DNS lookup limits related to MX

I’m confused about how the DNS lookups are counted when dealing with the MX mechanism. The RFC says

When evaluating the "mx" mechanism, the number of "MX" resource
records queried is included in the overall limit of 10 mechanisms/
modifiers that cause DNS lookups as described above.  In addition to
that limit, the evaluation of each "MX" record MUST NOT result in
querying more than 10 address records -- either "A" or "AAAA"
resource records.  If this limit is exceeded, the "mx" mechanism MUST
produce a "permerror" result.

It seems clear that a mx mechanism in the SPF record adds one to the DNS count but it is less clear (to me) if querying the DNS to find the records from that MX is added to the count or is it a separate count that also must be no more than 10.
As an example of the problem the spf record for service-now.com is

v=spf1 mx a:b.spf.service-now.com a:c.spf.service-now.com a:d.spf.service-now.com ~all

There are at least 4 terms querying the DNS. Querying the DNS for the MX of service-now.com returns 8 MX records. Is 8 added to the previous 4 or not? If so then this results a permerror, if not then the record is valid.

Hi Mark,

I was hoping others would respond.

Yes, MX does count against the 10 domain lookup. It’ll be considered as one lookup, since it is looking up the domain’s MX record.

So in the example you defined, it would would 4 domain lookups occurring.

1 Like