0

Like many others, I have navigated the SPF/DKIM/DMARC world with some confusion. About 4 weeks ago or so I finished setting everything (SPF/DKIM/DMARC) up correctly for a GoDaddy-hosted domain that uses Google's mailservers.

I set the _dmarc TXT record to take zero action with p=none and I used Postmark to monitor the results to see what was passing and failing over a week.

After a week or so I looked at the Postmark results and inserted the include: statements for the domains that I wanted to pass, but weren't. Then I waited another week to see the results. However, the results showed that the domains still weren't passing SPF or DKIM. Below is the SPF record, I've redacted parts of it that are revealing, but two of the domains are legit and still aren't passing.

v=spf1 include:_spf.google.com include:freshemail.io include:cherryroad.com ~all

Do I need to use the actual IP addresses in the include statements instead of the domains? Postmark lists these as well so that would be easy if so.

Fishcakes
  • 195
  • 1
  • 1
  • 8

2 Answers2

1

No, you shouldn't copy their IPs in there because they are subject to change, especially Google's.

If it's failing, presumably you have some results (usually in message headers) that tell you exactly which IP is failing, and you can track it down manually though those includes, do a reverse lookup on it, etc.

However, you're also using GoDaddy, which is mostly guaranteed not to work as they either block outbound SMTP or route it through their own servers, so you're very unlikely to get an SPF pass.

Synchro
  • 35,538
  • 15
  • 81
  • 104
  • Thanks for the info! Postmark does the IP translation for me as part of the summaries so I don't have to read through all of the individual results. My knowledge on this is lacking so I don't fully understand. Shouldn't GoDaddy be routing mail through the MX record (Google) and not through their own servers? – Fishcakes Mar 22 '21 at 14:48
  • That's ok if you're sending *to* a gmail address, but won't work if you want to send *from* a gmail address, which is what I'd expect you to be doing if you have an `include` for them in your SPF. – Synchro Mar 22 '21 at 14:52
  • Dang, thanks for the fast response. Yeah I mean, Freshmail(Freshservice) and the service that uses Cherryroad are both using a noreply@mydomain email, which is a Google email. Are you saying GoDaddy specifically creates an issue here? What are my options then? Can I not use DMARC? – Fishcakes Mar 22 '21 at 14:57
  • The main problem is that if you're trying to send from a gmail.com address, gmail.com has strict SPF and a `p=reject` policy and that means that you *must* send through gmail's servers. GoDaddy deliberately blocks sending through gmail (or any external SMTP service), so that's a problem. The same does *not* apply to your own domain handled by gmail because you are in control of your own SPF, however, you'll still need GoDaddy's (`secureserver.net`) domain `include`d in your SPF if your messages are going out that way. HTTP-based email can be a good workaround for their block. – Synchro Mar 22 '21 at 19:11
1

The issue was with SPF DNS lookup limits. I had no idea this was a thing and I'm amazed that this isn't mentioned anywhere on the documentation (whether that's Google's official documentation or otherwise) on setting up SPF/DKIM/DMARC, and didn't come up in Googling of this issue. This limit is designed to prevent denial of service attacks and infinite DNS loops.

For anyone else who sees this post

v=spf1 include:_spf.google.com include:freshemail.io include:cherryroad.com ~all

This SPF record actually has almost 15 DNS lookups, and the limit is 10 per domain. You can find out how many SPF DNS lookups your domain has with a service like AutoSPF or Easy DMARC

The solution, once you see your total DNS lookups, comes in four options:

  1. Create subdomains and use those to diversify the records. For example using "email@business.mydomain.com" as the email for freshemail.io. Then on the SPF record for that subdomain, you would only have v=spf1 include:freshemail.io resulting in less than 10 DNS lookups for that domain.

  2. As @Synchro mentioned, you don't want to use IPs because those can very well change, but the concept of using IPs instead of the domain names does essentially work because an IP address doesn't cost a DNS lookup. Check with the support/engineering of whatever service you're using, it's possible that they have an IP (or an IP range) that doesn't change often. You might be able to bring your DNS lookups under ten using this.

    Note that Google takes up about 3 DNS Lookups, and you'll probably want to leave that one as the _spf.google.com value

    Note that every SPF record also has a 255 character limit, so if you're using only IPs you'll need to break that up into a lot of SPF records probably

  3. Use an SPF flattening or compressing service like AutoSPF. Essentially, these services employ method #2, but do some backend work every few hours to check and update the IP addresses associated with the domains. Then they provide you with a "compressed" record like v=spf1 include:_6359384.autospf.com ~all that references all of your records and results in far fewer DNS lookups.

  4. Create your own method that acts kind of like #2 and #3, using GoDaddy's API and brew up something that performs updated lookups on a schedule/job and updates separate SPF records including all of the IPs.

Fishcakes
  • 195
  • 1
  • 1
  • 8
  • At the time of writing freshemail.io does not have an SPF record at the root of the domain. Did this change? I was curious which service accounted for sooo many lookups (professional curiosity). But of course it is cherryroad.com's SPF that is terribly polluted. One note on subdomains: Some services will let you configure a subdomain just for the SPF lookup (for where the bounce emails go). But still enable you to send FROM the organizational domain. So SPF on `sub.domain.tld` and from `domain.tld`. This is allowed by default in DMARC. – Reinto Apr 20 '21 at 12:06
  • On the 255 character limit note: Technically, you should not create multiple SPF records, but multiple strings inside 1 SPF record. More than 1 SPF record will break the lookup. – Reinto Apr 20 '21 at 12:07