Andy

Administrator
Creative Team
User ID
1
Joined
7 Jan 2019
Messages
1,121
Reaction score
57
Points
48
In this article, we will learn how to implement SPF include record, which can be very useful if you have large SPF records with many entries.

Many people may not realise it, but the Sender Policy Framework (SPF) specification has a limit on the number of DNS lookups (10) required to fully resolve an SPF record.

Section 10.1, "Processing Limits" of the SPF RFC specifies the following in regards to DNS lookups:
SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier. If this number is exceeded during a check, a PermError MUST be returned. The "include", "a", "mx", "ptr", and "exists" mechanisms as well as the "redirect" modifier do count against this limit. The "all", "ip4", and "ip6" mechanisms do not require DNS lookups and therefore do not count against this limit. The "exp" modifier does not count against this limit because the DNS lookup to fetch the explanation string occurs after the SPF record has been evaluated.

This limit is in place to prevent SPF lookups from being a useful avenue for Denial of Service attacks.

Consider the following SPF record for 'pretendco.com' - note that the entries are for example purposes only:
Rich (BB code):
contoso.com TXT
v=spf1 a mx a:mail.alpineskihouse.com a:mail.cohowinery.com a:server5.contoso.com a:server7.contoso.com mx:server86.contoso.com include:fabrikam.com ip4:202.159.32.2 ip4:202.159.33.2 -all

The record above is too long and needs to be shortened; we will have to split this up into two or more records and include them in the main SPF record.

Create the following SPF records on the domain name:
Rich (BB code):
1.spf.adatum.com TXT
v=spf1 a mx a:mail.alpineskihouse.com a:mail.cohowinery.com a:server5.contoso.com -all
2.spf.adatum.com TXT
v=spf1 a:server7.contoso.com mx:server86.contoso.com include:fabrikam.com -all
3.spf.adatum.com TXT
v=spf1 ip4:202.159.32.2 ip4:202.159.33.2 -all
Note: You can create more records as required.

Then amend the initial SPF as follows:
Rich (BB code):
contoso.com TXT
v=spf1 include:1.spf.adatum.com include:2.spf.adatum.com include:3.spf.adatum.com -all

Once DNS update propagates, all records would be read as one by recipient servers.

Finally, you can verify if your SPF records are working on one of my preferred SPF checkers down below:
 
 Short URL:
Back
Top