?
Solved

SPF records for multiple servers

Posted on 2014-04-07
8
Medium Priority
?
449 Views
Last Modified: 2014-05-09
Hi!

We have several dozens of servers around the world that need to send email on behalf of our domain name.

The problem is that they are being tagged as spammers so we want to configure SPF records for them in our DNS so they can send legitimate emails without being filtered by the recipients server.

How can we successfully implement SPF for all the servers in our current scenario and at the same time reduce the amount of lookups?

Thanks a lot for your help with this

ITCentralPoint.com
0
Comment
Question by:ITCentralPoint
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39983110
If you use the Microsoft SPF Tool to generate the SPF record here:

https://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

Then use the test tool here:

http://www.kitterman.com/spf/validate.html

to test and validate your SPF record you should then be able to publish an SPF record that covers all your servers.

You could just use the ip4:IP_Address_1 ip4:IP_Address_2 options to specify the IP's of the Email Servers and leave it at that.

e.g., v=spf1 ip4:123.123.123.123 ip4:234.234.234.234 -all

Alan
0
 

Author Comment

by:ITCentralPoint
ID: 39983241
Thank you Alan, but am I not limited by the SPF amount of servers I can point from an SPF record? Isn't this limit 10?

http://www.openspf.org/

Thanks for your help

Fernando
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39983267
How many servers do you have?

Are the servers listed in the MX records for the domain?
0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 

Author Comment

by:ITCentralPoint
ID: 39986277
Hi,

We have several dozens of servers all around the world. Additionally we have three other company includes which provide a total of 8 lookups already.

I dont see why the MX records are relevant as they are to receive mail but not to send. Or am I missing something?

Thanks for your help
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 2000 total points
ID: 39986327
I was just wondering if you could use a combination of MX and IP addresses if the receiving IP is the same as the sending IP.  Lots of servers send / receive out of the same IP (but not all).

Can you not configure some of the servers to forward mail to other servers for onward delivery thus cutting down on the number of 'Outbound' servers and thus the IP's / Lookups?
0
 

Author Closing Comment

by:ITCentralPoint
ID: 40050588
Nobody was able to help me.
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 40051124
Thank you Alan, but am I not limited by the SPF amount of servers I can point from an SPF record? Isn't this limit 10?
I know the question is closed, but I want to clear this up, if possible. Confusion about this limit stems from ambiguous language in RFC 4408. Section 10.1 (Processing Limits) contains the following:
SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier.  If this number is exceeded during a check, a PermError MUST be returned.  The "include", "a", "mx", "ptr", and "exists" mechanisms as well as the "redirect" modifier do count against this limit.  The "all", "ip4", and "ip6" mechanisms do not require DNS lookups and therefore do not count against this limit. The "exp" modifier does not count against this limit because the DNS lookup to fetch the explanation string occurs after the SPF record has been evaluated.
This language is expanded and clarified (somewhat) in the shiny new RFC 7208, which obsoletes RFC 4408. Section 4.6.4 states the following:
Some mechanisms and modifiers (collectively, "terms") cause DNS queries at the time of evaluation, and some do not.  The following terms cause DNS queries: the "include", "a", "mx", "ptr", and "exists" mechanisms, and the "redirect" modifier.  SPF implementations MUST limit the total number of those terms to 10 during SPF evaluation, to avoid unreasonable load on the DNS.  If this limit is exceeded, the implementation MUST return "permerror". The other terms -- the "all", "ip4", and "ip6" mechanisms, and the "exp" modifier -- do not cause DNS queries at the time of SPF evaluation (the "exp" modifier only causes a lookup at a later time), and their use is not subject to this limit.
This means that the total number of terms (mechanisms and modifiers) which perform DNS lookups in a single SPF record cannot be greater than 10 - it doesn't limit the number of lookups. Mechanisms that don't perform DNS lookups, such as ip4 and ip6, are excluded from this limitation altogether.

There are, however, additional limits imposed on MX and PTR lookups allowed in a single PTR record. Neither of these mechanisms can result in more than 10 lookups per instance of the mechanism, as RFC 7208 states (again in section 4.6.4):
When evaluating the "mx" mechanism, the number of "MX" resource records queried is included in the overall limit of 10 mechanisms/modifiers that cause DNS lookups as described above.  In addition to that limit, the evaluation of each "MX" record MUST NOT result in querying more than 10 address records -- either "A" or "AAAA" resource records.  If this limit is exceeded, the "mx" mechanism MUST produce a "permerror" result.

When evaluating the "ptr" mechanism or the %{p} macro, the number of "PTR" resource records queried is included in the overall limit of 10 mechanisms/modifiers that cause DNS lookups as described above.  In addition to that limit, the evaluation of each "PTR" record MUST NOT result in querying more than 10 address records -- either "A" or "AAAA" resource records.  If this limit is exceeded, all records other than the first 10 MUST be ignored.
Note that exceeding the MX lookup limit results in a PERMERROR, while exceeding the PTR limit merely results in the extra records being ignored.
The upshot of all of this is that you should be somewhat careful about mechanisms/modifiers that result in DNS lookups, but there's no explicit limit on the number of servers that can be contained within an SPF record, as long as the length of the record itself stays within the limit prescribed in RFC 7208, section 3.4:
The published SPF record for a given domain name SHOULD remain small enough that the results of a query for it will fit within 512 octets.
0
 

Author Comment

by:ITCentralPoint
ID: 40053393
DrDave242 Thank you very much for adding some clarification to this matter.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Suggested Courses
Course of the Month12 days, 4 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question