SPF health check returning void lookups

A "Void Lookup" refers to DNS lookups which either return an empty response (NOERROR with no answers) or an NXDOMAIN response.

This is meant to help prevent erroneous or malicious SPF records from contributing to a DNS-based denial of service attack.

I cannot find any help in deciphering which items are actually causing the void count I have. Anyone have any suggestions to go about doing this?

Without looking at what you're using for a SPF record, I couldn't even begin to guess

Hi Ken, thanks for the info, I saw those too. I just wasn't sure what those responses meant. Can you dumb that down for me as to what triggers those responses?

Essentially the DNS server contacted didn't find a match and didn't have a result to provide.

It's like running a "whois" on Microsoft.com. Typed correctly, you'll get a response, but typed incorrectly "Microwsot.com" you'll get an "no result found". This is your "Void Lookup" error

But as I stated earlier, without looking at what you're using, nobody can tell you what's causing the error

To ask a really dumb question, is it safe for me to provide that here? I would, but I am fairly a newbie to DNS and don't know. I will gladly provide it if it wouldn't be considered unsafe to post?

To ask a really dumb question, is it safe for me to provide that here?

That's not dumb at all, it's a very REAL concern that you should have regarding the posting of potentially sensitive information online.

But in this case yea it's safe. The information is readily obtained

Actually if you wanted, you could just post the domain name in question, and I can pull it up

Ken

ok thanks Ken! The domain is XXXXXXX.com.

Let me know when you've done it so I can remove the IP information from my post

Thanks Ken! I just applied the record you provided. I of course copied my previous one for safe-keeping. Feel free to edit out IP info. But do you mind taking a look at my XXXXXXX1.com one as well while we're at it? That is my primary domain, and it had voids as well. We just use that for far less mail, so I never bothered with it since it has never had problems delivering. Also, to be clear, in my include statement, if I have IPs in XXXXXXX1.com that I ALSO have in XXXXXXX.com, that would cause recursion because they would be redundant in the same SPF record correct? So and IP I have ending .xxx that exists in the XXXXXXX.com record that ALSO exists in XXXXXXX1.com is redundant in the XXXXXXX.com record because of that include part, right? I should remove it from the record and just rely on the include statement for that IP?

Did it resolve your issue?

If so, repeat the change to your xxx.com record by removing the two mx listings (mx:mail.xxx.com mx:mail2.xxx.com)

If not, let me know what error you're receiving

Ken

Oh I need to give it a chance to replicate to mxtoolbox to run the check. I am just waiting on that. If I have "include:XXXXXXX1.com" in msi-survey.com and "include:XXXXXXX.com" in XXXXXXX1.com, is that going to cause me problems with being recursive or anything? UPDATE: I had been waiting for mxtoolbox to become available as there was some sort of query error til just a minute ago. It is still seeing some of the MX records I removed, so hopefully soon it will fully replicate over.

Ok I cut it down to "v=spf1 ip4:sanitized ip4:sanitized ip4:sanitized ip4:sanitized ip4:sanitized include:XXXXXXX1 -all". That turned up no void lookups! To dumb things down further, in my SPF record, I just need to list the server IPs that I use to send mail for this domain (since it really is only a few), correct? UPDATE: I removed the MX record items from XXXXXXX1.com and that now has no void lookups either. And finally, the "include:" statement I have in XXXXXXX1.com referring to XXXXXXX.com means that all the SPF record for XXXXXXX1 includes the IPs in XXXXXXX, yes?

no void lookups!

Good, glad to hear it :)

I just need to list the server IPs that I use to send mail for this domain (since it really is only a few), correct?

Correct, "OR" you can use "mx" which will use the DNS mx record for the domain. You can use both mx and ipv4 however you need to make sure that you don't list an IP in ipv4 which is also the IP for a mail server in the dns mx record for the domain.

This is why you were getting the error, you can only list a server (IP) one time.

The listings (including the include) indicate which servers are allowed to send mail for the domain.

Ok so for example I can have an ip4 address in XXXXXXX1.com that also appears in the SPF record of XXXXXXX.com even though it is in the XXXXXXX1.com include statement?

ip4 address in xxx.com that also appears in the SPF record of xxx.com

Right, I see that.

To be honest I'm not 100% sure about that as I don't use that tag, but I believe you should be okay
Sending test emails would be the only way to tell for sure

Understood, thanks Ken, I haven't had any problems sending mail honestly, I just was doing a check and say the voids on mxtoolbox. But you helped me get rid of those, so I will consider things good now and close the question! Thanks so much for your time! Just for being safe, what parts of this question should I sanitize before closing?

Any time,

what parts of this question should I sanitize

I'd mask or delete any IP / Domain information

Thanks Ken, if you could do that for your posts, I will do it for mine and then close the question when I hear back from you!

You should be set on my end

Excellent, thanks again for your time, I took up plenty of it with this one!

No problem mrosier,

I'm glad you got your issue resolved

Ken