Apr 09 2019 06:10 AM
I am curious how others are handling SPF records with multiple active vendors. We have several vendors that send emails on our behalf, so I add them to our SPF record. However we always have more than 10 lookups. Heck Salesforce takes up 7, and that is only one. Is there something I am missing here? Is this an error that can be ignore?
Apr 09 2019 06:54 AM - edited Apr 09 2019 06:56 AM
@Jeff Harlow Jeff we had similar issues as you and found that we had to 'flatten' our SPF records. What we ended up doing was creating multiple txt records in DNS for this. We started with the original txt entry with the domain name, and then added spf1 and spf2 txt records. Inside the main record you then reference these other two records. The biggest issue becomes the domain names which count toward your total of 10. In our case we used the SPF survey site listed below which helps to flatten your records by using IP address ranges.
Our Main SPF Record:
v=spf1 include:spf.protection.outlook.com include:spf.somesite.net include:anotherSite.com include:spf1.ourDomainName.com include:spf2.ourDomainName.com ~all
SPF1 and SPF2 would look like this with all IP's. We got these ranges with the help of the Dmarcian site
SPF1
v=spf1 ip4:1.2.3.4/20 ip4:9.8.7.6/28 ip4:1.2.3.4/20 ip4:9.8.7.6/28 ip4:1.2.3.4/20 ip4:9.8.7.6/28
SPF2
v=spf1 ip4:1.2.3.4/20 ip4:9.8.7.6/28 ip4:1.2.3.4/20 ip4:9.8.7.6/28 ip4:1.2.3.4/20 ip4:9.8.7.6/28
Apr 09 2019 09:53 AM
The best workaround is to use a separate domain/subdomain for such emails.
Apr 09 2019 10:22 AM
@DougBartley Wouldnt flattening the IPs cause issues in the future when IP addresses change? DNS would seem like it would be better to manage. Servers can often change IP addresses and that information does not always get reported back from a vendor to a client.
Apr 09 2019 10:23 AM
@VasilMichev Can you elaborate on this one, please?
Apr 10 2019 12:34 AM
@Jeff Harlow Simply create a separate record for another domain and use it to send those messages.
@DougBartley multiple SPF records for the same domain are NOT supported.
Apr 10 2019 05:15 AM
@VasilMichev I know we had to create a sub domain for a certain task; I wonder if those will work for sending email out from? Otherwise, I am at a loss. They make it sound as if you should have active vendors sending emails but companies do. We are a small business and yet we have 4 different vendors that send emails on our behalf. I cannot imagine what larger corporations do. Several vendors may even send on behalf of users, so different domains may not be a valid solution. I will have to check on how those are to verify. Not sure why SPF records have such a low limit.
Apr 10 2019 05:40 AM
@VasilMichev We have a single SPF record setup in DNS and then 2 TXT records that are referenced in the SPF record. All records are read as one by recipient servers and we have a valid SPF record with 10/10 lookups. It has worked for what we are doing and we have not had issues with any vendors switching or adding IP's. Most have a large block of IP's and adding the entire block has worked fine. Also, most of these emails being sent are for our marketing department so they are not critical emails.
sampledomain.com TXT
v=spf1 include:spf1.sampledomain.com include:spf2.sampledomain.com include:spf3.sampledomain.com -all
spf1.sampledomain.com TXT
v=spf1 a mx a:mail.domain.com a:mail.domain.ie a:server5.somedomain.com
spf2.sampledomain.com TXT
v=spf1 server7.somedomain.com mx:server95.somedomain.com include:thatdomain.com
Apr 10 2019 10:59 AM
@DougBartley got ya, it's my fault for not reading your full reply. However, in this scenario the 10 DNS lookups limit still applies, and it's actually magnified by the additional includes you've added. The only benefits you get are for adding large number of IP blocks. For example, none of those 3 separate records exhausts the 10 lookups, but when you combine them together, you invalidate the record:
v=spf1 include:spf.protection.outlook.com include:_spf.google.com include:amazon.com -all
@Jeff Harlow why wouldn't they, all you need to do is tell the vendor that you want those messages being sent from say user@marketing.domain.com instead of user@domain.com.
Apr 10 2019 11:15 AM
@VasilMichev Jeff I'd have to agree that if you can use Vasil's approach it would be much easier to manage. Hopefully you don't have a marketing department that fails to consult with IT before they decide to do things. Then you are stuck with trying to make it work like we did.
May 18 2019 09:53 PM
@DougBartley Thanks! Used https://dmarcian.com/spf-survey/ to flatten SPF into three TXT records and worked perfectly. Have tested all third-party email sending platforms we use with our domain using http://tools.bevhost.com/spf/ and SPF is reporting pass on all, including for Office 365 (previously using include:spf.protection.outlook.com). Now on to using dmarcian to configure and transition to full DMARC!
Jul 21 2020 09:34 AM
If your willing to pay this might be another option for the automatic flatting of the spf record.