Long SPF record issues

we have an SPF record that just started to get longer than 255 characters and will get even longer

according to RFC rules you can exceed it by concatenating the strings

https://kb.isc.org/article/AA-00356/0/Can-I-have-a-TXT-or-SPF-record-longer-than-255-characters.html

this is our record in concatenated version

“v=spf1 +a +mx +ip4:192.155.91.197 ip4:74.217.53.10 ip4:74.63.245.98/28 ip4:78.157.218.82/28 ip4:64.247.128.0/18 ip4:129.121.0.0/16 ip4:152.160.0.0/16 ip4:65.75.128.0/18” “ include: bookmap.com include:servers.mcsv.net include:zcsend.net include:zoho.com include:spf.protection.outlook -all”

however our DNS manager which is with Enom and I also called GoDaddy they don't support it in their front end DNS manager so when you enter it it cuts it off

looking for a workaround or DNS manager that fully supports it
Peter MikulaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
This is correct.

What you require is using the https://dmarcian.com/spf-survey tool which attempts to collapse SPF records + also create SPF record chains, so long records work.

Bookmark this tool. It will save you hours of hair pulling.
0
Peter MikulaAuthor Commented:
this is super handy!

but how does that help with my 255 character limit directly? or do I setup "subdomains" for my main domain and then add bunch of include statements i.e include:spf1.mydomain.com include: spf2.mydomian.com etc and each of the sp1. spf2 has subset of the required IPs/or domains but I guess the query is going even deeper and may exceed other limits?
0
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
The questions your asking are far better asked with exact data.

People trying to guess how to answer SPF related questions... well... near impossible...

Post your entire zone file + all SPF records + likely someone can assist.

SPF records are complex. Best to just place all Dmarician's suggestions in your zone file + test again.

When your SPF records are correct, you'll have a pass from the tester.

This can be a long, iterative process.
0
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

Peter MikulaAuthor Commented:
here is my current spf record which is already too long  and we will need to add more to it soon

v=spf1 +a +mx +ip4:192.155.91.197 ip4:74.217.53.10 ip4:74.63.245.98/28 ip4:78.157.218.82/28 ip4:64.247.128.0/18 ip4:129.121.0.0/16 ip4:152.160.0.0/16 ip4:65.75.128.0/18 bookmap.com include:servers.mcsv.net include:zcsend.net include:zoho.com include:spf.protection.outlook -all
0
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Yep. They can get very long.

Just setup the SPF chained records.

You'll have to provide your domain name for people to verify your SPF records seem correct.
0
Peter MikulaAuthor Commented:
we have exceeded the 10 DNS-querying mechanisms (count=16) so adding yet another include: won't help :-) any ideas?
0
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Best to supply your domain name, to proceed.

Or you can just follow the instructions Dmarcian provides for chaining SPF records to deal with ultra long SPF lists.
0
Peter MikulaAuthor Commented:
s5trading.com
0
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Great.

So in your case you'd create two SPF records, which will chain...

@     IN  TXT "      v=spf1 ip4:8.45.169.0/24 ip4:64.233.160.0/19 ip4:64.247.128.0/18 ip4:65.75.128.0/18 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.5.230.111 ip4:72.14.192.0/18 ip4:74.63.245.98/28 ip4:74.125.0.0/16 ip4:74.201.84.0/24 ip4:74.201.154.0/24 ip4:74.217.53.10 ip4:78.157.218.82/28 ip4:98.124.199.90 ip4:108.177.8.0/21 ip4:108.177.96.0/19 ip4:121.244.91.11/26 ip4:129.121.0.0/16 ip4:135.84.80.192/26 ip4:135.84.81.0/24 ip4:135.84.83.0/24 ip4:148.105.8.0/21 ip4:152.160.0.0/16 include:spf1.s5trading.com ?all"

spf1  IN  TXT  "      v=spf1 ip4:165.254.168.0/24 ip4:172.217.0.0/19 ip4:172.217.32.0/20 ip4:172.217.128.0/19 ip4:172.217.160.0/20 ip4:172.217.192.0/19 ip4:173.194.0.0/16 ip4:192.155.91.197 ip4:198.2.128.0/18 ip4:204.141.32.0/23 ip4:205.201.128.0/20 ip4:207.46.163.74 ip4:209.85.128.0/17 ip4:216.32.180.10 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ?all"

So the first record will chain to the 2nd record.

EE's formatting a bit broken. Remove leading blanks for double quote TXT record values.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Peter MikulaAuthor Commented:
so I need to first create a spf1.s5trading.com subdomain in my DNS and add then include the second spf in the original one, ok

also, if any of the include subdomains IP ranges changes this "flattened" record might over time become slowly outdated? and need to run it again thru dmarcian tool to update it?
0
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
The first SPF record will be - "@     IN  TXT ..."

The second SFP record will be - "spf1  IN  TXT ..."

Correct about updates. Any time anything changes, run the tool again.

Also, just to be safe, place a monthly item in your calendar to run a quick check of your site in the tool.

Way better to do a 30 second test each month, then have something change + mail start dropping.
0
Peter MikulaAuthor Commented:
thanks so much for all your help, created 4 spf chained records and will have to maintain it I guess now
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Public DNS

From novice to tech pro — start learning today.