Previously I talked about creating nested SPF entries, but as was pointed out to me by our excellent deliverability team and Kiersti Esparza specifically.. there is another way to handle this, and there are a few things we commonly see as misconfigurations and causes of breakage with SPF, and I'll talk about them here! If you have a large set of IPs and or domains and want to include them ALL in SPF, it can get out of hand quite quickly.
Character String Length
SPF records have a limit of 255 characters in a single string. Any more than that and the record will come back as invalid. We have some workarounds, however...
Approach 1 - Multiple Strings
To have more than 255 characters in an SPD record, the record can be broken into multiple strings. The strings are then concatenated together, without spaces, as shown.
IN TXT "v=spf1 .... first" " second string..."
MUST be treated as equivalent to
IN TXT "v=spf1 .... first second string..."
EXAMPLE
text = "v=spf1 ip4:199.15.212.0/22 ip4:72.3.185.0/24 ip4:72.32.154.0/24 ip4:72.32.217.0/24 ip4:72.32.243.0/24 ip4:94.236.119.0/26 ip4:37.188.97.188/32 ip4:185.28.196.0/22 ~all"
(could be)
text = "v=spf1 ip4:199.15.212.0/22" " ip4:72.3.185.0/24 ip4:72.32.154.0/24 ip4:72.32.217.0/24" " ip4:72.32.243.0/24 ip4:94.236.119.0/26" " ip4:37.188.97.188/32 ip4:185.28.196.0/22 ~all"
Approach 2 - Some more detail on the previous blog - Nested or Cascaded entries
This example if for Marketo.com, and you can see that marketo.com is the top level SPF entry.
In this case, the marketo.com SPF record includes a number of other, different SPF records. (include:_spf.salesforce.com include:spf.protection.outlook.com include:mktomail.com include:email.influitive.com include:stspg-customer.com)
All entries in the “included” entries are now considered to be part of the marketo.com record.
A great tool to see all nested records in an SPF record is the DMARCIAN SPF Surveyor.
Caveat: This approach has limits There is a limit of 10 additional “include:” records in an SPF record. The "include", "a", "mx", "ptr", and "exists" mechanisms as well as the "redirect" modifier count against this limit of 10, but the "all", "ip4", and "ip6" mechanisms do not count against this limit.
Also remember, when you “include:” a record in your SPF record, then your record now includes all mechanisms in the “include:” record. So if your SPF record has 1 “include:”, but the SPF record you are including has 10 already, then your record will now have 11 and will break!
Null Records in the SPF Record
A record that is NULL or does not exist will break an SPF record. This means be extra careful about typos in your record. If you “include:” a domain that doesn’t exist, this will break your record.
Repetitive Records in the SPF Record
In order to prevent against unnecessary processing that can cause mail systems to slow down repeated mechanisms aren’t allowed. There is a MAX of 2 repeated look ups in an SPF record. More than that and the record will break. This prevents SPF records from being used in Denial of Service style attacks.
If we have learned anything at Marketo over the years it is that DNS for email is hard! We have experts on our team who can help unravel the most complicated SPF records. Raise your hand and let us know if you need help.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.