SPF IP4 Mechanism Limitation

Is there a limit to the # of ip4 mechanisms included in an SPF record?  From what I'm reading, the limit is 10 DNS lookups, but excludes the ip4 mechanism.  I need to specify 20 IP4 addresses, so will the following SPF record be valid?

v=spf1 ip4:50.248.119.81 ip4:64.62.153.100 ip4:166.185.141.5 ip4:66.220.18.38 ip4:67.215.195.44 ip4:68.105.30.113 ip4:162.249.61.215 ip4:184.105.58.118 ip4:206.51.40.12 ip4:209.51.186.86 ip4:216.66.84.6 ip4:217.29.66.1 ip4:91.198.176.10 ip4:185.1.55.10 ip4:80.239.193.9 ip4:195.246.227.22 ip4:216.66.80.94 ip4:77.241.206.36 ip4:81.16.231.31 ip4:185.1.113.9 include:spf.protection.outlook.com -all
LVL 1
fireguy1125Asked:
Who is Participating?
 
nociSoftware EngineerCommented:
First you CAN publish the DNS records and checks them before use and if all is acceptable, then active DKIM signing.
SPF is slightly more tricky, but you can start with a record that only has +all in the end.... (effectively rending the _spf RR futile).
During testing it may be wise to limit the TTL of DNS records to 300 (then you only have to wait 5 minutes max for cached data.
And to set TTL longer after the dust has setteled.
It all depends on how the query (& answer) are worded in total.
Lots of variables involved. f.e. length of the name requested, the value requested, if multitple records exist then the ALL need to fit, with international characters they may take up more than 1 octet / char. Then if signing is involved the singing information is added including references for verification. ....
In practice a safe limit it around 255...  (maybe less...)

http://www.rfc-archive.org/getrfc.php?rfc=883 are the design goals for DNS,  bottom page 11 states limits on packet sizes.  
Which limits Datagram (UDP) queries/answers to  512 octets each.   (finals data in rfc 1034).
(The  RR size is given by an unsigned 16 bit integer, and a single query/answer maximum in a streamed query is 64K)
Your problem is there are not a lot of DNS servers that allow TCP connections.
With query & authorisation info etc. all in the packet you can count on around 255 characters. Besides that many user intefaces are more restricted than this.
So YMMV.

The following allows you to split the records to multiple records to accomodate multiple addresses..
_spf.example.com   300 TXT  "v=spf1 include:_extra.example.com include=_extra2.example.com -all"
_extra.example.com      300 TXT "v=spf1 ip4:1.1.1.1 ip4:2.2.2.2 ~all"
_extra2.example.com      300 TXT "v=spf1 ip4:3.3.3.3 ip4:4.4.4.4 ~all"

Did you eve query the google DKIM records?, or outlook.com ones?
they are nice examples...
dig _spf.google.com txt    

and the lookup the includes mentioned.
0
 
MaheshArchitectCommented:
I have not heard of having multiple ip4 entries cause any issues as long as its beyond 255 characters

You can always validate your spf with mxtoolbox.com and if your SPF have any problem, it will point out

Normally you should not have too many included lookups

DNS lookups are counted for included lookups, mx lookup, A and PTR lookups
but when you put ip4 entries, 10 lookups limit should not apply, IMHO
0
 
nociSoftware EngineerCommented:
You may not exceed the 254 character limit of DNS, then you may not cause more than 10 lookups.
You could do:
....example.com   TXT "v=spf1 include:extra....example.com include=extra2....example.com ~all"
extra....example.com TXT "v=spf1 ipv4:..... ~all"
extra2....example.com TXT "v=spf1 ipv4:..... ~all"
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
DrDave242Commented:
From what I'm reading, the limit is 10 DNS lookups, but excludes the ip4 mechanism.

You're not limited to 10 DNS lookups, but 10 mechanisms and modifiers that cause DNS lookups, according to RFC 7208, sec 4.6.4:

Some mechanisms and modifiers (collectively, "terms") cause DNS queries at the time of evaluation, and some do not...SPF implementations MUST limit the total number of those terms to 10 during SPF evaluation, to avoid unreasonable load on the DNS.

The ip4 mechanism, as you mentioned, is exempt from this limitation, since it doesn't cause DNS lookups at all. As far as I can tell, you're only limited by the overall size limitation mentioned in sec 3.4:

The published SPF record for a given domain name SHOULD remain small enough that the results of a query for it will fit within 512 octets. Otherwise, there is a possibility of exceeding a DNS protocol limit.

You should read that entire section, as it mentions that the size of your SPF record might be constrained by other TXT records present at the same level, since they'll also be returned by a query seeking your domain's SPF record.
0
 
nociSoftware EngineerCommented:
The 512 character limit may impose it's own problems  as not all interfaces to update DNS allow it. Also DNSSEC signed zones may case more data be occupied within the DNS packet.
0
 
DrDave242Commented:
Agreed - it's a little tricky at best.
0
 
fireguy1125Author Commented:
Thanks all, can you clarify if the actual character limit is 255 or 512?

@noci, can you elaborate further on your initial comment?

You could do:
....example.com   TXT "v=spf1 include:extra....example.com include=extra2....example.com ~all"
extra....example.com TXT "v=spf1 ipv4:..... ~all"
extra2....example.com TXT "v=spf1 ipv4:..... ~all"

Mahesh, thanks for the mxtoolbox tip, however I'd prefer to have these verified before actually publishing the changes to avoid any issues.
Thanks again.
0
 
fireguy1125Author Commented:
Thanks all.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.