How can I create and update the existing SPF record to allow more than 10 entries?

Question

How can I include another SPF record if my existing domain already has 10 lines of SPF records in the TXT record?

I wanted to add these two:

include:mailgun.org
include:sendgrid.net 

This is my existing SPF record:

v=spf1 a mx ptr ip4:69.64.152.23/32 ip4:69.64.152.123/32 ip4:52.13.23.26/32 ip4:54.68.180.96/32 ip4:52.116.0.27/32 include:_spf.psm.knowbe4.com include:_spf.google.com include:servers.mcsv.net include:mail.zendesk.com -all

It is just about right 10 maximum DNS lookups:

Will this break the existing mail flow?

This is the result of the https://dmarcian.com/spf-survey/ test, after adding the two additional records above:

Any help would be greatly appreciated.

Thanks

Answer 1

I'm going through almost exactly the same issue at my employer. We have 11 DNS entries, some brought in by recursion (thanks gmail!) The ip4 and ip6 entries do not contribute, only things that cause a DNS lookup count.

The best fix is to reconfigure sendgrid or mandrill or qualtrics to use a subdomain for all their sending. Something like @customersuccess.mycompany.com to avoid being brand-specific. This gives you a separate batch of 10 DNS entries and helps partition mail senders from each other.
However it is nigh-on impossible to get a working service reconnfigured in a corporate world.

You can lay down that any new mail-sending service MUST use a suitable subdomain, which is less-impossible.

Technically - both our SPF records are out-of-compliance with RFC 4408 documented at https://datatracker.ietf.org/doc/html/rfc7208 where section 4.6.4 says

In addition to that limit, the evaluation of each "MX" record MUST NOT result in querying more than 10 address records -- either "A" or "AAAA" resource records. If this limit is exceeded, the "mx" mechanism MUST produce a "permerror" result.

Technically, any MTA could start rejecting our company's emails with a PERMERROR at any time.

That has not happened in my experience, and while it is not impossible, the likelyhood is very low. And if someone did implement this, it would be one/some mail-receiving MTAs not all at once.

---

Related, I found that https://www.proofpoint.com/us/cybersecurity-tools/dmarc-spf-creation-wizard#spf-check works well for doing a nice check on SPF.

microsoft.com has exactly 10 DNS lookups,
toyota.com has 18 (and a typo around the use of mx in the wrong place, and some pieces are too big for a UDP packet too. )

Upshot - yes it's wrong, but not really enforced at this time.

Update a couple weeks later - I have identified that there are some few mail servers which accept then silently drop emails because of this. So I'm attempting to update my SPF record to be flattened - see https://security.stackexchange.com/questions/264167/flattening-an-spf-record-drawbacks-and-downsides

Answer 2

This will break the SPF's check as a error will occur.

To be specific, that error will come; SPF PermError: too many DNS lookups

The mailflox will be affected as almost all servers/antispam check the SPF and that will cause those server to reject the email as it's unable to validate the email identity.

Adding IPv4 entry does not make that restriction on the other side. I would check if you can add those two new host IP range if you can, it's the only way you could make it work.