6

How can I include another SPF record if my existing domain already has 10 lines of SPF records in the TXT record?

I wanted to add these two:

include:mailgun.org
include:sendgrid.net

This is my existing SPF record:

v=spf1 a mx ptr ip4:69.64.152.23/32 ip4:69.64.152.123/32 ip4:52.13.23.26/32 ip4:54.68.180.96/32 ip4:52.116.0.27/32 include:_spf.psm.knowbe4.com include:_spf.google.com include:servers.mcsv.net include:mail.zendesk.com -all

It is just about right 10 maximum DNS lookups: enter image description here

Will this break the existing mail flow?

This is the result of the https://dmarcian.com/spf-survey/ test, after adding the two additional records above: enter image description here

Any help would be greatly appreciated.

Thanks

Senior Systems Engineer
  • 1,275
  • 2
  • 33
  • 62
  • 1
    I think you can do what Google does and create subdomains making heavy use the `include` mechanism. Just follow `dig txt _spf.google.com +short` to see what I mean. Haven't had to deal with this problem before so haven't tested creating my own solution. – Paul Jul 19 '22 at 14:19
  • OK, so do I need to create additional DNS TXT records like SPF1.domain.com which contains additional SPF entries ? – Senior Systems Engineer Jul 19 '22 at 14:43
  • 1
    Yes, though Google seems to like underscores in each subdomain `v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all`. – Paul Jul 19 '22 at 14:48
  • 1
    I see 6 DNS lookups, not 10. What do you see if you check your domain here: https://www.spf-record.com/spf-lookup – joeqwerty Jul 19 '22 at 16:33
  • 1
    @joeqwerty Kitterman's [SPF Query Tool](https://www.kitterman.com/spf/validate.html) returns `Results - PermError SPF Permanent Error: Too many DNS lookups` after adding the two new includes. – Paul Jul 19 '22 at 18:15
  • 1
    @Paul... Yes. I didn't mean to imply that there were only 6 in total. I meant that the base SPF record includes 6 and the OP needs to check for nested DNS lookups. I should have been more clear. That's why I suggested using the tool at the link I posted. – joeqwerty Jul 19 '22 at 18:24
  • 1
    Yes, you are right @joeqwerty the nested SPF entry also has caused additional DNS lookup. – Senior Systems Engineer Jul 20 '22 at 06:36

2 Answers2

6

This will break the SPF's check as a error will occur.

To be specific, that error will come; SPF PermError: too many DNS lookups

The mailflox will be affected as almost all servers/antispam check the SPF and that will cause those server to reject the email as it's unable to validate the email identity.

Adding IPv4 entry does not make that restriction on the other side. I would check if you can add those two new host IP range if you can, it's the only way you could make it work.

yagmoth555
  • 16,758
  • 4
  • 29
  • 50
  • 1
    Hi @yagmoth, does the ip4 entries are not counted towards the 10 DNS lookup limits? If it breaks, I assume the last added entry will be broken, not the whole SPF or TXT strings? – Senior Systems Engineer Jul 19 '22 at 14:11
  • 2
    No, as it's not lookup, that 10 limit is to prevent DoS or abuse. aka to not have a antispam stuck on DNS lookup when a email arrive from a abusive host/spf. (Just watch yourself as some time adding a dns entry it add other under it. It's easy to hit a 10th's limit that way) – yagmoth555 Jul 19 '22 at 14:12
  • 2
    If it break the server that receive the mail, that check the SPF, abort checking the SPF, so it's a fail nonetheless as your mail will be rejected. – yagmoth555 Jul 19 '22 at 14:15
  • 1
    Do you know of any mailserver that enforces the DNS count restriction at this time? I've been searching and finding some would help me in my work. The mail-logs I can access do not show any rejections that can be pinned on SPF DNS count. – Criggie Jul 20 '22 at 00:17
  • OK, according to the above-updated screenshot, shall I change the -all into ~all? will this cause any security posture issues or lower the security posture? – Senior Systems Engineer Jul 20 '22 at 06:35
4

I'm going through almost exactly the same issue at my employer. We have 11 DNS entries, some brought in by recursion (thanks gmail!) The ip4 and ip6 entries do not contribute, only things that cause a DNS lookup count.

The best fix is to reconfigure sendgrid or mandrill or qualtrics to use a subdomain for all their sending. Something like @customersuccess.mycompany.com to avoid being brand-specific. This gives you a separate batch of 10 DNS entries and helps partition mail senders from each other.
However it is nigh-on impossible to get a working service reconnfigured in a corporate world.

You can lay down that any new mail-sending service MUST use a suitable subdomain, which is less-impossible.

Technically - both our SPF records are out-of-compliance with RFC 4408 documented at https://datatracker.ietf.org/doc/html/rfc7208 where section 4.6.4 says

In addition to that limit, the evaluation of each "MX" record MUST NOT result in querying more than 10 address records -- either "A" or "AAAA" resource records. If this limit is exceeded, the "mx" mechanism MUST produce a "permerror" result.

Technically, any MTA could start rejecting our company's emails with a PERMERROR at any time.

That has not happened in my experience, and while it is not impossible, the likelyhood is very low. And if someone did implement this, it would be one/some mail-receiving MTAs not all at once.

Related, I found that https://www.proofpoint.com/us/cybersecurity-tools/dmarc-spf-creation-wizard#spf-check works well for doing a nice check on SPF.

microsoft.com has exactly 10 DNS lookups,
toyota.com has 18 (and a typo around the use of mx in the wrong place, and some pieces are too big for a UDP packet too. )

Upshot - yes it's wrong, but not really enforced at this time.

Update a couple weeks later - I have identified that there are some few mail servers which accept then silently drop emails because of this. So I'm attempting to update my SPF record to be flattened - see https://security.stackexchange.com/questions/264167/flattening-an-spf-record-drawbacks-and-downsides

Criggie
  • 2,379
  • 14
  • 25
  • 2
    ‘it's wrong, but not really enforced at this time’ – interesting statement. From what I’ve read on this website and elsewhere, getting a *permerror* rejection when exceeding DNS lookup limits is quite common. – glts Jul 20 '22 at 06:09
  • 1
    Hi @glts I have updated the thread above with the screenshot, showing that adding the two entries has caused the DNS lookups to go over 10 maximum limits. – Senior Systems Engineer Jul 20 '22 at 06:34
  • 2
    @glts agreed - I'm legitimately interested to find any real domain or mail receiving MTA that rejects or fails the email for this reason. – Criggie Jul 20 '22 at 19:29
  • 1
    At the least, *someone* could review the popular open-source projects that check SPF and see which ones will fail under this condition. – Paul Aug 18 '22 at 12:47