Solved

SPF records for multiple servers

Posted on 2014-04-07
8
445 Views
Last Modified: 2014-05-09
Hi!

We have several dozens of servers around the world that need to send email on behalf of our domain name.

The problem is that they are being tagged as spammers so we want to configure SPF records for them in our DNS so they can send legitimate emails without being filtered by the recipients server.

How can we successfully implement SPF for all the servers in our current scenario and at the same time reduce the amount of lookups?

Thanks a lot for your help with this

ITCentralPoint.com
0
Comment
Question by:ITCentralPoint
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39983110
If you use the Microsoft SPF Tool to generate the SPF record here:

https://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

Then use the test tool here:

http://www.kitterman.com/spf/validate.html

to test and validate your SPF record you should then be able to publish an SPF record that covers all your servers.

You could just use the ip4:IP_Address_1 ip4:IP_Address_2 options to specify the IP's of the Email Servers and leave it at that.

e.g., v=spf1 ip4:123.123.123.123 ip4:234.234.234.234 -all

Alan
0
 

Author Comment

by:ITCentralPoint
ID: 39983241
Thank you Alan, but am I not limited by the SPF amount of servers I can point from an SPF record? Isn't this limit 10?

http://www.openspf.org/

Thanks for your help

Fernando
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39983267
How many servers do you have?

Are the servers listed in the MX records for the domain?
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:ITCentralPoint
ID: 39986277
Hi,

We have several dozens of servers all around the world. Additionally we have three other company includes which provide a total of 8 lookups already.

I dont see why the MX records are relevant as they are to receive mail but not to send. Or am I missing something?

Thanks for your help
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 39986327
I was just wondering if you could use a combination of MX and IP addresses if the receiving IP is the same as the sending IP.  Lots of servers send / receive out of the same IP (but not all).

Can you not configure some of the servers to forward mail to other servers for onward delivery thus cutting down on the number of 'Outbound' servers and thus the IP's / Lookups?
0
 

Author Closing Comment

by:ITCentralPoint
ID: 40050588
Nobody was able to help me.
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 40051124
Thank you Alan, but am I not limited by the SPF amount of servers I can point from an SPF record? Isn't this limit 10?
I know the question is closed, but I want to clear this up, if possible. Confusion about this limit stems from ambiguous language in RFC 4408. Section 10.1 (Processing Limits) contains the following:
SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier.  If this number is exceeded during a check, a PermError MUST be returned.  The "include", "a", "mx", "ptr", and "exists" mechanisms as well as the "redirect" modifier do count against this limit.  The "all", "ip4", and "ip6" mechanisms do not require DNS lookups and therefore do not count against this limit. The "exp" modifier does not count against this limit because the DNS lookup to fetch the explanation string occurs after the SPF record has been evaluated.
This language is expanded and clarified (somewhat) in the shiny new RFC 7208, which obsoletes RFC 4408. Section 4.6.4 states the following:
Some mechanisms and modifiers (collectively, "terms") cause DNS queries at the time of evaluation, and some do not.  The following terms cause DNS queries: the "include", "a", "mx", "ptr", and "exists" mechanisms, and the "redirect" modifier.  SPF implementations MUST limit the total number of those terms to 10 during SPF evaluation, to avoid unreasonable load on the DNS.  If this limit is exceeded, the implementation MUST return "permerror". The other terms -- the "all", "ip4", and "ip6" mechanisms, and the "exp" modifier -- do not cause DNS queries at the time of SPF evaluation (the "exp" modifier only causes a lookup at a later time), and their use is not subject to this limit.
This means that the total number of terms (mechanisms and modifiers) which perform DNS lookups in a single SPF record cannot be greater than 10 - it doesn't limit the number of lookups. Mechanisms that don't perform DNS lookups, such as ip4 and ip6, are excluded from this limitation altogether.

There are, however, additional limits imposed on MX and PTR lookups allowed in a single PTR record. Neither of these mechanisms can result in more than 10 lookups per instance of the mechanism, as RFC 7208 states (again in section 4.6.4):
When evaluating the "mx" mechanism, the number of "MX" resource records queried is included in the overall limit of 10 mechanisms/modifiers that cause DNS lookups as described above.  In addition to that limit, the evaluation of each "MX" record MUST NOT result in querying more than 10 address records -- either "A" or "AAAA" resource records.  If this limit is exceeded, the "mx" mechanism MUST produce a "permerror" result.

When evaluating the "ptr" mechanism or the %{p} macro, the number of "PTR" resource records queried is included in the overall limit of 10 mechanisms/modifiers that cause DNS lookups as described above.  In addition to that limit, the evaluation of each "PTR" record MUST NOT result in querying more than 10 address records -- either "A" or "AAAA" resource records.  If this limit is exceeded, all records other than the first 10 MUST be ignored.
Note that exceeding the MX lookup limit results in a PERMERROR, while exceeding the PTR limit merely results in the extra records being ignored.
The upshot of all of this is that you should be somewhat careful about mechanisms/modifiers that result in DNS lookups, but there's no explicit limit on the number of servers that can be contained within an SPF record, as long as the length of the record itself stays within the limit prescribed in RFC 7208, section 3.4:
The published SPF record for a given domain name SHOULD remain small enough that the results of a query for it will fit within 512 octets.
0
 

Author Comment

by:ITCentralPoint
ID: 40053393
DrDave242 Thank you very much for adding some clarification to this matter.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question