7

How can I include another SPF record if my existing domain already has 10 lines of SPF records in the TXT record?

I wanted to add these two:

include:mailgun.org
include:sendgrid.net 

This is my existing SPF record:

v=spf1 a mx ptr ip4:69.64.152.23/32 ip4:69.64.152.123/32 ip4:52.13.23.26/32 ip4:54.68.180.96/32 ip4:52.116.0.27/32 include:_spf.psm.knowbe4.com include:_spf.google.com include:servers.mcsv.net include:mail.zendesk.com -all

It is just about right 10 maximum DNS lookups: enter image description here

Will this break the existing mail flow?

This is the result of the https://dmarcian.com/spf-survey/ test, after adding the two additional records above: enter image description here

Any help would be greatly appreciated.

Thanks

7
  • 1
    I think you can do what Google does and create subdomains making heavy use the include mechanism. Just follow dig txt _spf.google.com +short to see what I mean. Haven't had to deal with this problem before so haven't tested creating my own solution.
    – Paul
    Commented Jul 19, 2022 at 14:19
  • 1
    Yes, though Google seems to like underscores in each subdomain v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all.
    – Paul
    Commented Jul 19, 2022 at 14:48
  • 1
    I see 6 DNS lookups, not 10. What do you see if you check your domain here: spf-record.com/spf-lookup
    – joeqwerty
    Commented Jul 19, 2022 at 16:33
  • 1
    @joeqwerty Kitterman's SPF Query Tool returns Results - PermError SPF Permanent Error: Too many DNS lookups after adding the two new includes.
    – Paul
    Commented Jul 19, 2022 at 18:15
  • 1
    @Paul... Yes. I didn't mean to imply that there were only 6 in total. I meant that the base SPF record includes 6 and the OP needs to check for nested DNS lookups. I should have been more clear. That's why I suggested using the tool at the link I posted.
    – joeqwerty
    Commented Jul 19, 2022 at 18:24

2 Answers 2

4

I'm going through almost exactly the same issue at my employer. We have 11 DNS entries, some brought in by recursion (thanks gmail!) The ip4 and ip6 entries do not contribute, only things that cause a DNS lookup count.

The best fix is to reconfigure sendgrid or mandrill or qualtrics to use a subdomain for all their sending. Something like @customersuccess.mycompany.com to avoid being brand-specific. This gives you a separate batch of 10 DNS entries and helps partition mail senders from each other.
However it is nigh-on impossible to get a working service reconnfigured in a corporate world.

You can lay down that any new mail-sending service MUST use a suitable subdomain, which is less-impossible.

Technically - both our SPF records are out-of-compliance with RFC 4408 documented at https://datatracker.ietf.org/doc/html/rfc7208 where section 4.6.4 says

In addition to that limit, the evaluation of each "MX" record MUST NOT result in querying more than 10 address records -- either "A" or "AAAA" resource records. If this limit is exceeded, the "mx" mechanism MUST produce a "permerror" result.

Technically, any MTA could start rejecting our company's emails with a PERMERROR at any time.

That has not happened in my experience, and while it is not impossible, the likelyhood is very low. And if someone did implement this, it would be one/some mail-receiving MTAs not all at once.


Related, I found that https://www.proofpoint.com/us/cybersecurity-tools/dmarc-spf-creation-wizard#spf-check works well for doing a nice check on SPF.

microsoft.com has exactly 10 DNS lookups,
toyota.com has 18 (and a typo around the use of mx in the wrong place, and some pieces are too big for a UDP packet too. )

Upshot - yes it's wrong, but not really enforced at this time.

Update a couple weeks later - I have identified that there are some few mail servers which accept then silently drop emails because of this. So I'm attempting to update my SPF record to be flattened - see https://security.stackexchange.com/questions/264167/flattening-an-spf-record-drawbacks-and-downsides

4
  • 2
    ‘it's wrong, but not really enforced at this time’ – interesting statement. From what I’ve read on this website and elsewhere, getting a permerror rejection when exceeding DNS lookup limits is quite common.
    – glts
    Commented Jul 20, 2022 at 6:09
  • 1
    Hi @glts I have updated the thread above with the screenshot, showing that adding the two entries has caused the DNS lookups to go over 10 maximum limits. Commented Jul 20, 2022 at 6:34
  • 2
    @glts agreed - I'm legitimately interested to find any real domain or mail receiving MTA that rejects or fails the email for this reason.
    – Criggie
    Commented Jul 20, 2022 at 19:29
  • 1
    At the least, someone could review the popular open-source projects that check SPF and see which ones will fail under this condition.
    – Paul
    Commented Aug 18, 2022 at 12:47
6

This will break the SPF's check as a error will occur.

To be specific, that error will come; SPF PermError: too many DNS lookups

The mailflox will be affected as almost all servers/antispam check the SPF and that will cause those server to reject the email as it's unable to validate the email identity.

Adding IPv4 entry does not make that restriction on the other side. I would check if you can add those two new host IP range if you can, it's the only way you could make it work.

5
  • 1
    Hi @yagmoth, does the ip4 entries are not counted towards the 10 DNS lookup limits? If it breaks, I assume the last added entry will be broken, not the whole SPF or TXT strings? Commented Jul 19, 2022 at 14:11
  • 2
    No, as it's not lookup, that 10 limit is to prevent DoS or abuse. aka to not have a antispam stuck on DNS lookup when a email arrive from a abusive host/spf. (Just watch yourself as some time adding a dns entry it add other under it. It's easy to hit a 10th's limit that way)
    – yagmoth555
    Commented Jul 19, 2022 at 14:12
  • 2
    If it break the server that receive the mail, that check the SPF, abort checking the SPF, so it's a fail nonetheless as your mail will be rejected.
    – yagmoth555
    Commented Jul 19, 2022 at 14:15
  • 1
    Do you know of any mailserver that enforces the DNS count restriction at this time? I've been searching and finding some would help me in my work. The mail-logs I can access do not show any rejections that can be pinned on SPF DNS count.
    – Criggie
    Commented Jul 20, 2022 at 0:17
  • OK, according to the above-updated screenshot, shall I change the -all into ~all? will this cause any security posture issues or lower the security posture? Commented Jul 20, 2022 at 6:35

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .