Solved

SPF records for multiple servers

Posted on 2014-04-07
8
430 Views
Last Modified: 2014-05-09
Hi!

We have several dozens of servers around the world that need to send email on behalf of our domain name.

The problem is that they are being tagged as spammers so we want to configure SPF records for them in our DNS so they can send legitimate emails without being filtered by the recipients server.

How can we successfully implement SPF for all the servers in our current scenario and at the same time reduce the amount of lookups?

Thanks a lot for your help with this

ITCentralPoint.com
0
Comment
Question by:ITCentralPoint
  • 4
  • 3
8 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
If you use the Microsoft SPF Tool to generate the SPF record here:

https://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

Then use the test tool here:

http://www.kitterman.com/spf/validate.html

to test and validate your SPF record you should then be able to publish an SPF record that covers all your servers.

You could just use the ip4:IP_Address_1 ip4:IP_Address_2 options to specify the IP's of the Email Servers and leave it at that.

e.g., v=spf1 ip4:123.123.123.123 ip4:234.234.234.234 -all

Alan
0
 

Author Comment

by:ITCentralPoint
Comment Utility
Thank you Alan, but am I not limited by the SPF amount of servers I can point from an SPF record? Isn't this limit 10?

http://www.openspf.org/

Thanks for your help

Fernando
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
How many servers do you have?

Are the servers listed in the MX records for the domain?
0
 

Author Comment

by:ITCentralPoint
Comment Utility
Hi,

We have several dozens of servers all around the world. Additionally we have three other company includes which provide a total of 8 lookups already.

I dont see why the MX records are relevant as they are to receive mail but not to send. Or am I missing something?

Thanks for your help
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
Comment Utility
I was just wondering if you could use a combination of MX and IP addresses if the receiving IP is the same as the sending IP.  Lots of servers send / receive out of the same IP (but not all).

Can you not configure some of the servers to forward mail to other servers for onward delivery thus cutting down on the number of 'Outbound' servers and thus the IP's / Lookups?
0
 

Author Closing Comment

by:ITCentralPoint
Comment Utility
Nobody was able to help me.
0
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
Thank you Alan, but am I not limited by the SPF amount of servers I can point from an SPF record? Isn't this limit 10?
I know the question is closed, but I want to clear this up, if possible. Confusion about this limit stems from ambiguous language in RFC 4408. Section 10.1 (Processing Limits) contains the following:
SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier.  If this number is exceeded during a check, a PermError MUST be returned.  The "include", "a", "mx", "ptr", and "exists" mechanisms as well as the "redirect" modifier do count against this limit.  The "all", "ip4", and "ip6" mechanisms do not require DNS lookups and therefore do not count against this limit. The "exp" modifier does not count against this limit because the DNS lookup to fetch the explanation string occurs after the SPF record has been evaluated.
This language is expanded and clarified (somewhat) in the shiny new RFC 7208, which obsoletes RFC 4408. Section 4.6.4 states the following:
Some mechanisms and modifiers (collectively, "terms") cause DNS queries at the time of evaluation, and some do not.  The following terms cause DNS queries: the "include", "a", "mx", "ptr", and "exists" mechanisms, and the "redirect" modifier.  SPF implementations MUST limit the total number of those terms to 10 during SPF evaluation, to avoid unreasonable load on the DNS.  If this limit is exceeded, the implementation MUST return "permerror". The other terms -- the "all", "ip4", and "ip6" mechanisms, and the "exp" modifier -- do not cause DNS queries at the time of SPF evaluation (the "exp" modifier only causes a lookup at a later time), and their use is not subject to this limit.
This means that the total number of terms (mechanisms and modifiers) which perform DNS lookups in a single SPF record cannot be greater than 10 - it doesn't limit the number of lookups. Mechanisms that don't perform DNS lookups, such as ip4 and ip6, are excluded from this limitation altogether.

There are, however, additional limits imposed on MX and PTR lookups allowed in a single PTR record. Neither of these mechanisms can result in more than 10 lookups per instance of the mechanism, as RFC 7208 states (again in section 4.6.4):
When evaluating the "mx" mechanism, the number of "MX" resource records queried is included in the overall limit of 10 mechanisms/modifiers that cause DNS lookups as described above.  In addition to that limit, the evaluation of each "MX" record MUST NOT result in querying more than 10 address records -- either "A" or "AAAA" resource records.  If this limit is exceeded, the "mx" mechanism MUST produce a "permerror" result.

When evaluating the "ptr" mechanism or the %{p} macro, the number of "PTR" resource records queried is included in the overall limit of 10 mechanisms/modifiers that cause DNS lookups as described above.  In addition to that limit, the evaluation of each "PTR" record MUST NOT result in querying more than 10 address records -- either "A" or "AAAA" resource records.  If this limit is exceeded, all records other than the first 10 MUST be ignored.
Note that exceeding the MX lookup limit results in a PERMERROR, while exceeding the PTR limit merely results in the extra records being ignored.
The upshot of all of this is that you should be somewhat careful about mechanisms/modifiers that result in DNS lookups, but there's no explicit limit on the number of servers that can be contained within an SPF record, as long as the length of the record itself stays within the limit prescribed in RFC 7208, section 3.4:
The published SPF record for a given domain name SHOULD remain small enough that the results of a query for it will fit within 512 octets.
0
 

Author Comment

by:ITCentralPoint
Comment Utility
DrDave242 Thank you very much for adding some clarification to this matter.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Nearly six years ago I was hired by a company to be their senior server engineer. One of my first projects was to implement Exchange Server 2007 on a Windows Server 2008 Single Copy Cluster for high availability. That was the easy part; read on to l…
Email signatures have numerous marketing benefits. Here are 8 top reasons to turn your email signature into a marketing channel.
Familiarize people with the process of utilizing SQL Server functions from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Ac…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now