1

I've hit a snag with SPF. The SPF record for my domain will contain four or five entries, plus it will contain: include:sgizmo.com

The SPF record for sgizmo.com contains eleven entries! This, plus mine, is way over the maximum ten allowed by the RFC (and probably by most servers). I realize that there has to be a limit in order to prevent DoS attacks. However, in the real world, it is probably not unreasonable for large companies to have many server addresses.

Furthermore, must I know monitor my 'include:' counterparts for changes and additions? Must I check weekly, daily, to insure that some combination of changes doesn't suddenly put me over the top? It doesn't seem to me that SPF is suitable for prime time.

Is there another way to do this?

sprezzatura
  • 149
  • 2
  • 6

5 Answers5

5

If you're hitting the limit for SPF records, then you're probably doing something wrong. Consider using:

  • "a" shortcut
  • "mx" shortcut
  • Subnets

An very common tactic is to list all of your potential mail exchangers as MX entries for that domain but with an extremely high priority number. Since MXes for a domain are picked in order from lowest to highest, it means that the server will never be selected to receive traffic, but will be listed as being allowed to send traffic. This improves deliverability even for destinations that don't support SPF. Just be sure to include "mx" in your SPF list.

tylerl
  • 15,055
  • 7
  • 51
  • 72
4

Why do you inclide IP addresses at all?

You can include networks, domain names, mx entries - there is no need to put in a single individual IP address.

TomTom
  • 51,649
  • 7
  • 54
  • 136
4

RFC 7208 states that DNS queries are limited to 10. Therefore, if your SPF record contains 5 IP addresses and sgizmo includes 11, you can get that information with only 2 DNS queries. One query to your DNS for the SPF record and one query to sgizmo for their SPF record. Keep in mind that the initial SPF query doesn't count in the total of 10.

You may be confused about RFC 7208 ยง 4.6.4 where it states:

The following terms cause DNS queries: the "include", "a", "mx", "ptr", and "exists" mechanisms, and the "redirect" modifier. SPF implementations MUST limit the total number of those terms to 10 during SPF evaluation, to avoid unreasonable load on the DNS.

This doesn't mean that your SPF record can only have 10 items. It means that processing the SPF should cause no more than 10 DNS lookups. For example, the following SPF record has only 2 terms but includes 254 IP Addresses and an include for a total of 265 addresses:

v=spf1 ip4:123.123.123.2/24 include:sgizmo.com -all

That's only 2 DNS lookups and the first one doesn't count. If you also had a web server and 5 MX (mail servers), you could do the following:

v=spf1 mx a ip4:123.123.123.2/24 include:sgizmo.com -all

Since the MX and A terms require DNS lookups, they count as 2 additional DNS queries. Since you can get the full list of MX records in a single DNS query, the above-listed SPF would bring the number of DNS queries to 3 out of 10 and would include 271 addresses.

To look at your issue, lets look at the following SPF record:

v=spf1 ip4:123.123.123.2 ip4:123.123.123.4 ip4:123.123.123.6 ip4:123.123.123.8 ip4:123.123.123.10 include:sgizmo.com -all

This includes 7 terms but only the include requires a DNS query. This means that this would add 16 servers to your valid SPF check and would count as 1 DNS lookup out of 10 as the ip4 terms do not require any DNS queries to resolve them.

Community
  • 1
John Pace
  • 41
  • 1
2

You're absolutely right, this is an annoying limit in SPF and you're not doing anything wrong.

In fact, sgizmo.com has a terrible SPF record. By itself it accounts 10 DNS lookups, so adding it to your own record would put your SPF at 11, and thus a broken SPF. Receiving mail servers will dismiss your SPF record as a whole, and, if you have setup a DMARC (reject) policy your emails might very well be dropped.

You can check the state of an SPF record at https://dmarcian.com/spf-survey/ or at https://MXToolbox.com or many other tools.

However, the website of SurveyGizmo states that if you use their services and need to add them to SPF, you should use app.sgizmo.com to include, which does only include IP addresses. So that ends up as being only one additional lookup in your own SPF record. Imagine if you have 20 such suppliers sending on your behalf, though!

On your question on monitoring your SPF record, you surely do need to monitor your record and DNS lookup count including all includes of includes. You could write a simple script or visit above mentioned tools once in a while.

A more permanent solution would be to send emails from 3rd party suppliers from a subdomain (surveys.yourdomain.com). Some software also allows you to set an alternate return-path / bounce-address in your emails. SPF is always checked on the Return-Path email domain, if present.

I hope this helps.

Reinto
  • 938
  • 5
  • 9
0

Correct me if I am wrong, but I thought it was just 10 DNS lookups. I didn't think ip addresses counted for that.

sgizmo.com looks like it has just 5: sgizmo.com, a, mx, emailsrvr.com, and support.zendesk.com.

Waivej
  • 61
  • 1