I'm currently working on some code for validating SPF records. However when comparing my results for number of lookups with other tools such as MxToolbox and EasyDMARC they seem off.
Currently I'm doing something like the following code.
if (directive.Mechanism == SpfMechanism.MX)
{
_lookups++;
// Lookup the MX records
var records = _resolver.GetMXRecords(directive.MX);
foreach (var record in records)
{
// Do an A lookup for the MX record
_lookups++;
// ...
}
}
However I'm unsure about incrementing the number of lookups for every MX record.
The RFC mentions
check_host() first performs an MX lookup on the . Then it performs an address lookup on each MX name returned. The is compared to each returned IP address. To prevent denial-of-service (DoS) attacks, the processing limits defined in Section 4.6.4 MUST be followed. If the MX lookup limit is exceeded, then "permerror" is returned and the evaluation is terminated. If any address matches, the mechanism matches.
But it's not very clear about whether these should be counted, public implementations also seem to differ on this.
After reading the RFC again very carefully the lookup limit is actually the limit of mechanisms that does a lookup. And each MX mechanism has a lookup of 10, independent from the lookup limit.
My problem was solved by making these changes, and now my results are identical to other SPF tools and libraries.