mrosier
asked on
SPF health check returning void lookups
Hello! I am trying to get some help adjusting my SPF record. I am trying to understand how I can go about identifying which items in my record constitute "void lookups". I am getting a notice saying I am exceeding 2 when checking my domain health. I see what they are from searching, but I cannot find any help in deciphering which items are actually causing the void count I have. Anyone have any suggestions to go about doing this?
ASKER
Hi Ken, thanks for the info, I saw those too. I just wasn't sure what those responses meant. Can you dumb that down for me as to what triggers those responses?
Essentially the DNS server contacted didn't find a match and didn't have a result to provide.
It's like running a "whois" on Microsoft.com. Typed correctly, you'll get a response, but typed incorrectly "Microwsot.com" you'll get an "no result found". This is your "Void Lookup" error
But as I stated earlier, without looking at what you're using, nobody can tell you what's causing the error
It's like running a "whois" on Microsoft.com. Typed correctly, you'll get a response, but typed incorrectly "Microwsot.com" you'll get an "no result found". This is your "Void Lookup" error
But as I stated earlier, without looking at what you're using, nobody can tell you what's causing the error
ASKER
To ask a really dumb question, is it safe for me to provide that here? I would, but I am fairly a newbie to DNS and don't know. I will gladly provide it if it wouldn't be considered unsafe to post?
To ask a really dumb question, is it safe for me to provide that here?
That's not dumb at all, it's a very REAL concern that you should have regarding the posting of potentially sensitive information online.
But in this case yea it's safe. The information is readily obtained
Actually if you wanted, you could just post the domain name in question, and I can pull it up
Ken
ASKER
ok thanks Ken! The domain is XXXXXXX.com.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Let me know when you've done it so I can remove the IP information from my post
ASKER
Thanks Ken! I just applied the record you provided. I of course copied my previous one for safe-keeping. Feel free to edit out IP info. But do you mind taking a look at my XXXXXXX1.com one as well while we're at it? That is my primary domain, and it had voids as well. We just use that for far less mail, so I never bothered with it since it has never had problems delivering. Also, to be clear, in my include statement, if I have IPs in XXXXXXX1.com that I ALSO have in XXXXXXX.com, that would cause recursion because they would be redundant in the same SPF record correct? So and IP I have ending .xxx that exists in the XXXXXXX.com record that ALSO exists in XXXXXXX1.com is redundant in the XXXXXXX.com record because of that include part, right? I should remove it from the record and just rely on the include statement for that IP?
Did it resolve your issue?
If so, repeat the change to your xxx.com record by removing the two mx listings (mx:mail.xxx.com mx:mail2.xxx.com)
If not, let me know what error you're receiving
Ken
If so, repeat the change to your xxx.com record by removing the two mx listings (mx:mail.xxx.com mx:mail2.xxx.com)
If not, let me know what error you're receiving
Ken
ASKER
Oh I need to give it a chance to replicate to mxtoolbox to run the check. I am just waiting on that. If I have "include:XXXXXXX1.com" in msi-survey.com and "include:XXXXXXX.com" in XXXXXXX1.com, is that going to cause me problems with being recursive or anything? UPDATE: I had been waiting for mxtoolbox to become available as there was some sort of query error til just a minute ago. It is still seeing some of the MX records I removed, so hopefully soon it will fully replicate over.
ASKER
Ok I cut it down to "v=spf1 ip4:sanitized ip4:sanitized ip4:sanitized ip4:sanitized ip4:sanitized include:XXXXXXX1 -all". That turned up no void lookups! To dumb things down further, in my SPF record, I just need to list the server IPs that I use to send mail for this domain (since it really is only a few), correct? UPDATE: I removed the MX record items from XXXXXXX1.com and that now has no void lookups either. And finally, the "include:" statement I have in XXXXXXX1.com referring to XXXXXXX.com means that all the SPF record for XXXXXXX1 includes the IPs in XXXXXXX, yes?
no void lookups!
Good, glad to hear it :)
I just need to list the server IPs that I use to send mail for this domain (since it really is only a few), correct?
Correct, "OR" you can use "mx" which will use the DNS mx record for the domain. You can use both mx and ipv4 however you need to make sure that you don't list an IP in ipv4 which is also the IP for a mail server in the dns mx record for the domain.
This is why you were getting the error, you can only list a server (IP) one time.
The listings (including the include) indicate which servers are allowed to send mail for the domain.
ASKER
Ok so for example I can have an ip4 address in XXXXXXX1.com that also appears in the SPF record of XXXXXXX.com even though it is in the XXXXXXX1.com include statement?
ip4 address in xxx.com that also appears in the SPF record of xxx.com
Right, I see that.
To be honest I'm not 100% sure about that as I don't use that tag, but I believe you should be okay
Sending test emails would be the only way to tell for sure
ASKER
Understood, thanks Ken, I haven't had any problems sending mail honestly, I just was doing a check and say the voids on mxtoolbox. But you helped me get rid of those, so I will consider things good now and close the question! Thanks so much for your time! Just for being safe, what parts of this question should I sanitize before closing?
Any time,
I'd mask or delete any IP / Domain information
what parts of this question should I sanitize
I'd mask or delete any IP / Domain information
ASKER
Thanks Ken, if you could do that for your posts, I will do it for mine and then close the question when I hear back from you!
You should be set on my end
ASKER
Excellent, thanks again for your time, I took up plenty of it with this one!
No problem mrosier,
I'm glad you got your issue resolved
Ken
I'm glad you got your issue resolved
Ken
This is meant to help prevent erroneous or malicious SPF records from contributing to a DNS-based denial of service attack.
Without looking at what you're using for a SPF record, I couldn't even begin to guess