Long SPF record issues

we have an SPF record that just started to get longer than 255 characters and will get even longer

according to RFC rules you can exceed it by concatenating the strings

https://kb.isc.org/article/AA-00356/0/Can-I-have-a-TXT-or-SPF-record-longer-than-255-characters.html

this is our record in concatenated version

“v=spf1 +a +mx +ip4:192.155.91.197 ip4:74.217.53.10 ip4:74.63.245.98/28 ip4:78.157.218.82/28 ip4:64.247.128.0/18 ip4:129.121.0.0/16 ip4:152.160.0.0/16 ip4:65.75.128.0/18” “ include: bookmap.com include:servers.mcsv.net include:zcsend.net include:zoho.com include:spf.protection.outlook -all”

however our DNS manager which is with Enom and I also called GoDaddy they don't support it in their front end DNS manager so when you enter it it cuts it off

looking for a workaround or DNS manager that fully supports it
Peter MikulaAsked:
Who is Participating?
 
David FavorConnect With a Mentor Linux/LXD/WordPress/Hosting SavantCommented:
Great.

So in your case you'd create two SPF records, which will chain...

@     IN  TXT "      v=spf1 ip4:8.45.169.0/24 ip4:64.233.160.0/19 ip4:64.247.128.0/18 ip4:65.75.128.0/18 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.5.230.111 ip4:72.14.192.0/18 ip4:74.63.245.98/28 ip4:74.125.0.0/16 ip4:74.201.84.0/24 ip4:74.201.154.0/24 ip4:74.217.53.10 ip4:78.157.218.82/28 ip4:98.124.199.90 ip4:108.177.8.0/21 ip4:108.177.96.0/19 ip4:121.244.91.11/26 ip4:129.121.0.0/16 ip4:135.84.80.192/26 ip4:135.84.81.0/24 ip4:135.84.83.0/24 ip4:148.105.8.0/21 ip4:152.160.0.0/16 include:spf1.s5trading.com ?all"

spf1  IN  TXT  "      v=spf1 ip4:165.254.168.0/24 ip4:172.217.0.0/19 ip4:172.217.32.0/20 ip4:172.217.128.0/19 ip4:172.217.160.0/20 ip4:172.217.192.0/19 ip4:173.194.0.0/16 ip4:192.155.91.197 ip4:198.2.128.0/18 ip4:204.141.32.0/23 ip4:205.201.128.0/20 ip4:207.46.163.74 ip4:209.85.128.0/17 ip4:216.32.180.10 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ?all"

So the first record will chain to the 2nd record.

EE's formatting a bit broken. Remove leading blanks for double quote TXT record values.
0
 
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
This is correct.

What you require is using the https://dmarcian.com/spf-survey tool which attempts to collapse SPF records + also create SPF record chains, so long records work.

Bookmark this tool. It will save you hours of hair pulling.
0
 
Peter MikulaAuthor Commented:
this is super handy!

but how does that help with my 255 character limit directly? or do I setup "subdomains" for my main domain and then add bunch of include statements i.e include:spf1.mydomain.com include: spf2.mydomian.com etc and each of the sp1. spf2 has subset of the required IPs/or domains but I guess the query is going even deeper and may exceed other limits?
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
The questions your asking are far better asked with exact data.

People trying to guess how to answer SPF related questions... well... near impossible...

Post your entire zone file + all SPF records + likely someone can assist.

SPF records are complex. Best to just place all Dmarician's suggestions in your zone file + test again.

When your SPF records are correct, you'll have a pass from the tester.

This can be a long, iterative process.
0
 
Peter MikulaAuthor Commented:
here is my current spf record which is already too long  and we will need to add more to it soon

v=spf1 +a +mx +ip4:192.155.91.197 ip4:74.217.53.10 ip4:74.63.245.98/28 ip4:78.157.218.82/28 ip4:64.247.128.0/18 ip4:129.121.0.0/16 ip4:152.160.0.0/16 ip4:65.75.128.0/18 bookmap.com include:servers.mcsv.net include:zcsend.net include:zoho.com include:spf.protection.outlook -all
0
 
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Yep. They can get very long.

Just setup the SPF chained records.

You'll have to provide your domain name for people to verify your SPF records seem correct.
0
 
Peter MikulaAuthor Commented:
we have exceeded the 10 DNS-querying mechanisms (count=16) so adding yet another include: won't help :-) any ideas?
0
 
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Best to supply your domain name, to proceed.

Or you can just follow the instructions Dmarcian provides for chaining SPF records to deal with ultra long SPF lists.
0
 
Peter MikulaAuthor Commented:
s5trading.com
0
 
Peter MikulaAuthor Commented:
so I need to first create a spf1.s5trading.com subdomain in my DNS and add then include the second spf in the original one, ok

also, if any of the include subdomains IP ranges changes this "flattened" record might over time become slowly outdated? and need to run it again thru dmarcian tool to update it?
0
 
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
The first SPF record will be - "@     IN  TXT ..."

The second SFP record will be - "spf1  IN  TXT ..."

Correct about updates. Any time anything changes, run the tool again.

Also, just to be safe, place a monthly item in your calendar to run a quick check of your site in the tool.

Way better to do a 30 second test each month, then have something change + mail start dropping.
0
 
Peter MikulaAuthor Commented:
thanks so much for all your help, created 4 spf chained records and will have to maintain it I guess now
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.