5

Issue: my SPF Record (TXT) can not be retrieved from the DNS entry of the domain zwischengas.com
In my DNS entry I have one line for the SPF Record (as TXT entry):

@  IN TXT "v=spf1 ip4:188.a.b.c ip4:xyz/22
ip4:xyz/24 ip4:xyz/21 ip4:xyz/24 ip4:xyz/24" "ip4:xyz ip4:xyz/22
ip4:xyz ip4:xyz/29 ip4:xyz/29 ip4:xyz/28" "ip4:xyz/24 ip4:xyz/24 a mx
?all"

I have the problem, that this SPF Record can not be found and I have no clue why. According to the RFC splitting up a very long line into multiple strings is recommended in order to keep all substrings smaller than 255 characters.

My domain is zwischengas.com , the Mail Server's IP is 188.a.b.c, anybody a clue?

I tried these tests without success:

host -t txt zwischengas.com
spfquery -ip-address 188.a.b.c -m test@zwischengas.com -h zwischengas.com

Also the tests with online tools are without success:

Also Google Mail (gmail.com) can not retrieve my SPF record (according to the original mail header section):

Received-SPF: neutral (google.com: 188.a.b.c is neither permitted
nor denied by best guess record for domain of
noreply1@zwischengas.com) client-ip=188.a.b.c;
Maen
  • 10,603
  • 3
  • 45
  • 71
basZero
  • 4,129
  • 9
  • 51
  • 89
  • So each string in the concatenated "1.2.3.4" " 2.3.4.5" can be 255 chars - what's the total max per record (i.e. "a string which is by far longer than what is allowed") – Kevin Mar 16 '15 at 17:44
  • I didn't find a generally valid max value. So did not want to guess the max. – basZero Mar 17 '15 at 07:53

2 Answers2

6

Working Solution

You can test the correctness of your SPF record by calling 

host -t txt myhost.com

A simple SPF record could look like this: 

@ IN TXT "v=spf1 ip4:244.11.23.13 a mx ?all"

If you add IPs one after the other, you can end up in error messages from the DNS Server saying that the string is too long.
A valid solution to this is to introduce " " into it.

So instead of 

@  IN TXT "v=spf1 ip4:244.11.23.13 ip4:144.21.23.13 ip4:222.11.11.13 ip4:244.182.23.191 ip4:203.101.22.13 a mx ?all"

you would have (an example):

@ IN TXT "v=spf1 ip4:244.11.23.13 ip4:144.21.23.13" " ip4:222.11.11.13 ip4:244.182.23.191" " ip4:203.101.22.13 a mx ?all"

The " " option is described in the appropriate RFC and is accepted by all DNS Servers (what actually happens is, the " " is removed and the substrings get concatenated).

But what if you have 20 IPs? You end up in a string which is by far longer than what is allowed. What can you do?

The solution to this is called: include

An example:

@ IN TXT "v=spf1 include:_spf1.myhost.com include:_spf2.myhost.com a mx ?all"
_spf1 IN TXT "v=spf1 ip4:244.11.23.13 ip4:144.21.23.13 a mx ?all"
_spf2 IN TXT "v=spf1 ip4:222.11.11.13 ip4:244.182.23.191 ip4:203.101.22.13 a mx ?all"

You can extend that with N hierarchies. I hope this helps as it took me some time to find this out!!

basZero
  • 4,129
  • 9
  • 51
  • 89
0

What's that multiples "?

@  IN TXT "v=spf1 ip4:188.a.b.c ip4:xyz/22 ip4:xyz/24 ip4:xyz/21 ip4:xyz/24 ip4:xyz/24" "ip4:xyz ip4:xyz/22 ip4:xyz ip4:xyz/29 ip4:xyz/29 ip4:xyz/28" "ip4:xyz/24 ip4:xyz/24 a mx ?all"

Shouldnt that have only a couple "", and then be:

@  IN TXT "v=spf1 ip4:188.a.b.c ip4:xyz/22 ip4:xyz/24 ip4:xyz/21 ip4:xyz/24 ip4:xyz/24 ip4:xyz ip4:xyz/22 ip4:xyz ip4:xyz/29 ip4:xyz/29 ip4:xyz/28 ip4:xyz/24 ip4:xyz/24 a mx ?all"
user1293137
  • 103
  • 5
  • If I try to store it without the multiple " , it says that the line is too long. – basZero Aug 08 '13 at 10:49
  • mmmh do you edit it through a panel or something similar? Imho you're currently 'avoiding' panel limits using brackets, but crushing SPF standard multiplying them. Anyway, if a.b.c and xyz have to be inteded as costants, you could change the whole line in: "v=spf1 ip4:188.a.b.c ip4:xyz/21 +a +mx ?all" – user1293137 Aug 08 '13 at 10:55
  • `" "` gets ingored and the strings are concatenated. I found that in the RFC, but don't have the link anymore. I found this: http://www.zytrax.com/books/dns/ch8/txt.html – basZero Aug 08 '13 at 10:57
  • Thanks @user1293137, but all the xyz are different IP ranges from our mail marketing partner... so the line must be really that long and should not be a problem. – basZero Aug 08 '13 at 11:01
  • I found it out. Please see my post above. – basZero Aug 08 '13 at 16:08