Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 467
  • Last Modified:

SPF records for multiple servers

Hi!

We have several dozens of servers around the world that need to send email on behalf of our domain name.

The problem is that they are being tagged as spammers so we want to configure SPF records for them in our DNS so they can send legitimate emails without being filtered by the recipients server.

How can we successfully implement SPF for all the servers in our current scenario and at the same time reduce the amount of lookups?

Thanks a lot for your help with this

ITCentralPoint.com
0
ITCentralPoint
Asked:
ITCentralPoint
  • 4
  • 3
1 Solution
 
Alan HardistyCo-OwnerCommented:
If you use the Microsoft SPF Tool to generate the SPF record here:

https://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

Then use the test tool here:

http://www.kitterman.com/spf/validate.html

to test and validate your SPF record you should then be able to publish an SPF record that covers all your servers.

You could just use the ip4:IP_Address_1 ip4:IP_Address_2 options to specify the IP's of the Email Servers and leave it at that.

e.g., v=spf1 ip4:123.123.123.123 ip4:234.234.234.234 -all

Alan
0
 
ITCentralPointAuthor Commented:
Thank you Alan, but am I not limited by the SPF amount of servers I can point from an SPF record? Isn't this limit 10?

http://www.openspf.org/

Thanks for your help

Fernando
0
 
Alan HardistyCo-OwnerCommented:
How many servers do you have?

Are the servers listed in the MX records for the domain?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
ITCentralPointAuthor Commented:
Hi,

We have several dozens of servers all around the world. Additionally we have three other company includes which provide a total of 8 lookups already.

I dont see why the MX records are relevant as they are to receive mail but not to send. Or am I missing something?

Thanks for your help
0
 
Alan HardistyCo-OwnerCommented:
I was just wondering if you could use a combination of MX and IP addresses if the receiving IP is the same as the sending IP.  Lots of servers send / receive out of the same IP (but not all).

Can you not configure some of the servers to forward mail to other servers for onward delivery thus cutting down on the number of 'Outbound' servers and thus the IP's / Lookups?
0
 
ITCentralPointAuthor Commented:
Nobody was able to help me.
0
 
DrDave242Commented:
Thank you Alan, but am I not limited by the SPF amount of servers I can point from an SPF record? Isn't this limit 10?
I know the question is closed, but I want to clear this up, if possible. Confusion about this limit stems from ambiguous language in RFC 4408. Section 10.1 (Processing Limits) contains the following:
SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier.  If this number is exceeded during a check, a PermError MUST be returned.  The "include", "a", "mx", "ptr", and "exists" mechanisms as well as the "redirect" modifier do count against this limit.  The "all", "ip4", and "ip6" mechanisms do not require DNS lookups and therefore do not count against this limit. The "exp" modifier does not count against this limit because the DNS lookup to fetch the explanation string occurs after the SPF record has been evaluated.
This language is expanded and clarified (somewhat) in the shiny new RFC 7208, which obsoletes RFC 4408. Section 4.6.4 states the following:
Some mechanisms and modifiers (collectively, "terms") cause DNS queries at the time of evaluation, and some do not.  The following terms cause DNS queries: the "include", "a", "mx", "ptr", and "exists" mechanisms, and the "redirect" modifier.  SPF implementations MUST limit the total number of those terms to 10 during SPF evaluation, to avoid unreasonable load on the DNS.  If this limit is exceeded, the implementation MUST return "permerror". The other terms -- the "all", "ip4", and "ip6" mechanisms, and the "exp" modifier -- do not cause DNS queries at the time of SPF evaluation (the "exp" modifier only causes a lookup at a later time), and their use is not subject to this limit.
This means that the total number of terms (mechanisms and modifiers) which perform DNS lookups in a single SPF record cannot be greater than 10 - it doesn't limit the number of lookups. Mechanisms that don't perform DNS lookups, such as ip4 and ip6, are excluded from this limitation altogether.

There are, however, additional limits imposed on MX and PTR lookups allowed in a single PTR record. Neither of these mechanisms can result in more than 10 lookups per instance of the mechanism, as RFC 7208 states (again in section 4.6.4):
When evaluating the "mx" mechanism, the number of "MX" resource records queried is included in the overall limit of 10 mechanisms/modifiers that cause DNS lookups as described above.  In addition to that limit, the evaluation of each "MX" record MUST NOT result in querying more than 10 address records -- either "A" or "AAAA" resource records.  If this limit is exceeded, the "mx" mechanism MUST produce a "permerror" result.

When evaluating the "ptr" mechanism or the %{p} macro, the number of "PTR" resource records queried is included in the overall limit of 10 mechanisms/modifiers that cause DNS lookups as described above.  In addition to that limit, the evaluation of each "PTR" record MUST NOT result in querying more than 10 address records -- either "A" or "AAAA" resource records.  If this limit is exceeded, all records other than the first 10 MUST be ignored.
Note that exceeding the MX lookup limit results in a PERMERROR, while exceeding the PTR limit merely results in the extra records being ignored.
The upshot of all of this is that you should be somewhat careful about mechanisms/modifiers that result in DNS lookups, but there's no explicit limit on the number of servers that can be contained within an SPF record, as long as the length of the record itself stays within the limit prescribed in RFC 7208, section 3.4:
The published SPF record for a given domain name SHOULD remain small enough that the results of a query for it will fit within 512 octets.
0
 
ITCentralPointAuthor Commented:
DrDave242 Thank you very much for adding some clarification to this matter.
0

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now