I have been getting an error of 'too many DNS lookups' for my site's SPF record.
After I read the suggestions from the following posts, I decided to follow the advice to try and consolidate my services to reduce the number of lookups.
References:
Too many DNS lookups in an SPF record
PermError SPF Permanent Error: Too many DNS lookup
Right now my SPF record is this:
v=spf1 a include:servers.mcsv.net include:_spf.google.com include:spf.mtasv.net include:jangomail.com ~all
I want to consolidate my services so that it ends up being this:
v=spf1 a include:servers.mcsv.net include:_spf.google.com ~all
I would replace my jangomail with Mandrill (part of Mailchimp servers.mcsv.net) for my transactional emails. And mtasv.net is redundant because we don't use this service anymore.
My situation is exactly like the one posed in this question here:
SPF Record for Mandrill
Kaitlin from Mandrill suggests setting up an SPF record to include Mailchimp and Google Apps as per below.
v=spf1 a include:servers.mcsv.net include:_spf.google.com ~all
However, if I do this, does it not end up being more than 10 lookups and therefore still exceeding the limitations of the protocol?
2 - initial TXT and SPF Record
1 - include:servers.mcsv.net
1 -_spf.google.com
include:servers.mcsv.net includes
1- servers.mcsv.net
1- spf1.mcsv.net
1- spf.mandrillapp.com
_spf.google.com includes:
1- _spf.google.com TXT
1- _netblocks.google.com TXT
1- _netblocks2.google.com TXT
1- _netblocks3.google.com TXT
Total 11 lookups.
Is there any other way around this?
Consolidation using include may always end up making too many DNS look-ups as the included domains may include others.
To see my approach on solving this issue, have a look at SPF-tools which reassembles the original SPF record and outputs only the ip4 and ip6 fields into the new one. Feel free to ask me any questions, I will gladly help/extend the documentation in the repository.
Related
Using G-suite email and DNS configuration for MX records in Route53, I'm blocked on how I can solve this error:
Multiple SPF records may cause delivery and spam classification
issues. v=spf1 include:_spf.google.com ~all v=spf1
include:transmail.net ~all
Route53 only allow a single TXT record for SPF information. Route53 does allow you to use new lines for additional SFP information.
However, when running the G-Suite check, I get the error quoted above and some clients are seeing our emails as SPAM.
Is there a solution to this?
You should have one SPF record for your domain, but you can have multiple include directives in the SPF record. You might want to try something like this:
v=spf1 include:_spf.google.com include:transmail.net ~all
The only way I was able to fix this was to proxy the DNS records in Cloudflare which allows an SPF record per line.
A domain MUST NOT have multiple SPF records, SPF fails with PermError otherwise.
An SPF record is a TXT record in the DNS starting exactly with "v=spf1", followed by an array of mechanisms and/or modifiers.
An SPF check starts by fetching all TXT records starting exactly with "v=spf1" on a domain:
if no such record is found, it returns None;
if multiple such records are found, it returns PermError.
If you have multiple services to add to SPF, you would need to combine them like mti2935.
Learn more here: https://dmarcly.com/blog/can-i-have-multiple-spf-records-on-my-domain
I have these 3 spf txt records to add recommended for different email providers to be addeed to my DNS TXT records to avoid spamming by DMARC:
"v=spf1 mx a include:_spf.getresponse.com -all"
"v=spf1 include:emsd1.com ~all"
"v=spf1 include:spf.protection.outlook.com ip4:195.76.207.18 -all"
What will be the best way to merge them. After reading several forums I finished with these 2 options:
Option A. Merge all in a single TXT record as recommended on here:
"v=spf1 mx a include:_spf.getresponse.com include:spf.protection.outlook.com ip4:195.76.207.18 include:emsd1.com ~all"
vs
"v=spf1 mx a include:_spf.getresponse.com include:spf.protection.outlook.com ip4:195.76.207.18 include:emsd1.com -all"
or OPTION B. Creating 3 SPF records and declare them on an initial SPF: as it is described here
Initial SPF: sampledomain.com TXT
v=spf1 include:spf1.sampledomain.com include:spf2.sampledomain.com include:spf3.sampledomain.com all"
3 SPF records:
spf1.sampledomain.com TXT
v=spf1 mx a include:_spf.getresponse.com -all
spf2.sampledomain.com TXT
v=spf1 include:emsd1.com ~all
spf2.sampledomain.com TXT
v=spf1 include:spf.protection.outlook.com ip4:195.76.207.18 -all
What option should I choose without exceeding the number of 10 look ups?
Additionally, I don't know how to figure it out the number of lookups?
Thanks indded
Either way will work, but combining them is probably the simplest.
The key here is to get all of the rules incorporated in your top-level TXT record. An include: directive is one way, but as you note it's limited in depth, so you should avoid using it unless it's a necessity (e.g. provider specified) not as a way to organize things on your end.
I'm sure you'll also appreciate having all the rules in one places vs. having to edit three arbitrarily named records that split things up for no particular reason.
We have noticed that a lot of our emails are falsely flagged as spam. Upon reading online, it seems like a good way to solve this issue is to add an SPF record into the DNS, so we added a TXT record with this content:
v=spf1 a mx ip4:162.123.189.010 include:_spf.google.com include:bluehost.com ~all
Bluehost is our host provider,
162.123.189.010 is our VPS IP address from blue host,
and _spf.google.com is needed because we send/receive email using GMail.
After running a test on Google's MX tester, we got the following error:
The SPF string can not be parsed, do you have any typos in it?
Decision permanent error in processing
Explanation SPF Permanent Error: Too many DNS lookups
Record v=spf1 a mx ip4:162.123.189.010 include:_spf.google.com include:bluehost.com ~all
Does anyone have any idea what the issue is?
"SPF Permanent Error: Too many DNS lookups" is a very specific problem. Your record is too big and SPF checkers will refuse to perform enough DNS queries to determine if something passed SPF.
The SPF spec allows at most 10 DNS lookups. Your SPF record has 17.
RFC 4408 § 10.1 – Processing Limits states:
SPF implementations MUST limit the number of mechanisms and modifiers
that do DNS lookups to at most 10 per SPF check, including any
lookups caused by the use of the "include" mechanism or the
"redirect" modifier. If this number is exceeded during a check, a
PermError MUST be returned. The "include", "a", "mx", "ptr", and
"exists" mechanisms as well as the "redirect" modifier do count
against this limit. The "all", "ip4", and "ip6" mechanisms do not
require DNS lookups and therefore do not count against this limit.
The "exp" modifier does not count against this limit because the DNS
lookup to fetch the explanation string occurs after the SPF record
has been evaluated.
Your SPF record has four lookups before traversing the inclusions, including your a and mx:
v=spf1 a mx ip4:162.123.189.010 include:_spf.google.com include:bluehost.com ~all
Google's SPF
Google has three DNS lookups for three collections of CIDRs that it blesses:
_spf.google.com (+3 lookups)
v=spf1 include:_netblocks.google.com include:_netblocks2.google.com
include:_netblocks3.google.com ~all
_netblocks.google.com
v=spf1 ip4:35.190.247.0/24 ip4:64.233.160.0/19
ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16
ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17
ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all
_netblocks2.google.com
v=spf1 ip6:2001:4860:4000::/36
ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36
ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all
_netblocks3.google.com
v=spf1 ip4:172.217.0.0/19 ip4:172.217.32.0/20
ip4:172.217.128.0/19 ip4:172.217.160.0/20 ip4:172.217.192.0/19
ip4:108.177.96.0/19 ip4:35.191.0.0/16 ip4:130.211.0.0/22 ~all"
Bluehost's SPF
The SPF record for bluehost.com is too large (its SPF record fails Google's MX tester on its own):
bluehost.com (5 lookups before further traversal)
v=spf1 include:spf2.bluehost.com include:_spf.qualtrics.com
include:_spf.google.com include:_spf.salesforce.com
include:sparkpostmail.com -all
spf2.bluehost.com (+0)
v=spf1 ip4:66.147.240.0/20 ip4:69.89.16.0/20 ip4:74.220.192.0/19
ip4:67.222.32.0/19 ip4:70.40.192.0/19 ip4:67.20.64.0/18 ip4:173.254.0.0/17
ip4:50.87.0.0/16 ip4:69.195.64.0/18 -all
_spf.qualtrics.com (+0)
v=spf1 ip4:139.60.152.0/22 ip4:162.247.216.0/22 ip4:54.186.193.102/32
ip4:52.222.73.120/32 ip4:52.222.73.83/32 ip4:52.222.62.51/32
ip4:52.222.75.85/32 ?all
(see above for _spf.google.com's +3 lookups, though redundant lookups don't add to your total)
_spf.salesforce.com (+1 using an SPF macro with the IP address)
v=spf1 exists:%{i}._spf.mta.salesforce.com -all
sparkpostmail.com is a redirection and then another exists macro and a pile of pointers (+6, wow)
v=spf1 redirect=_spf.sparkpostmail.com
v=spf1 exists:%{i}._spf.sparkpostmail.com include:_netblocks.sparkpostmail.com
ptr:sparkpostmail.com ptr:spmta.com ptr:flyingenvelope.com ~all
Danger! That sparkpost.com inclusion pulls in some ptr entries, which are arguably insecure, using a deprecated and "strongly discouraged" SPF mechanism (that's a direct quote from the spec).
_netblocks.sparkpostmail.com was pulled in by the previous record (+0)
v=spf1 ip4:147.253.208.0/20 ip4:192.174.80.0/20 ~all
Bluehost used to use SendGrid, who actually knows what they're doing (their SPF record has no additional lookups), but apparently they have traded SendGrid for SparkPost, who (based on their six extra lookups plus the insecure ptr entries) does not.
Since that totals 12 (13 with include:bluehost.com), you cannot include Bluehhost's SPF.
Bluehost's own suggested SPF record (and its default for all customers) is similarly broken (with 16 lookups, including an easily forged ptr).
Solution for Bluehost: a trimmed and safer SPF record
📢 Hello, Bluehost. I tweeted this at you. This section is just for you.
Bluehost could fix this with the following SPF records in place of their current one:
bluehost.com (7)
v=spf1 a include:spf2.bluehost.com include:_spf.google.com
include:_netblocks.sparkpostmail.com ~all
Though note that I had to downgrade include:sparkpostmail.com (7 + 6 = 13, too large, plus that includes the dangerous ptr records) to just its netblocks (7 + 0 ≤ 10). Bluehost needs to yell at SparkPost or go back to SendGrid. spf2.bluehost.com is unchanged from its current state and should be the only inclusion necessary for Bluehost customers.
(I'd use the IP for the A record to skip a lookup, but it changes so often that it looks like fast flux.)
Bluehost should suggest customers include just spf2.bluehost.com for all of the Bluehost services (assuming they're involved in sending mail). See the next section for how to advise Bluehost customers.
Solution for Bluehost customers
As noted in the previous section, start with this base (3 lookups):
v=spf1 a mx include:spf2.bluehost.com ~all
The final ~all ("soft failure") indicates mail recipients should be mildly dubious of —yet still deliver— mail that fails SPF. Set up DMARC to figure out what works and what is missed on the road to DMARC p=reject (which will block all forged mail).
You'll have to add any hosted email or Email Service Provider(s) you use, plus any other hosts that you want to authorize to send mail on behalf of your domain.
In the case of this question, I see an explicit IP address and hosted mail by Google, so you'll need:
v=spf1 ip4:162.123.189.10 a mx include:spf2.bluehost.com
include:_spf.google.com ~all
Your total DNS lookup count is now seven and therefore your SPF is valid.
"SPF Permanent Error: Too many DNS lookups" is a common type of SPF permanent error. This happens when you have more than 10 DNS lookups in your SPF record.
SPF imposes the 10-DNS-lookup limit to mitigate DDoS attacks.
You can use any online SPF checker to check your SPF record and make sure it doesn't exceed that limit.
However, if your SPF record does exceed the limit, SPF authentication returns the permanent error mentioned above, which is in turn interpreted (in DMARC or otherwise) as fail. This means that the email can fail authentication and be moved to the spam folder. If no further action is taken, this will have a negative impact on your email deliverability.
To fix the too-many-DNS-lookup issue, you can use a service like DMARCLY's Safe SPF
feature to automatically "flatten" your SPF record, so that it never exceeds the limit.
For more information on this, check out this post: Why SPF Authentication Fails
The most obvious problem is that leading 0 in your IP address, which makes it invalid. A minor issue is that it's considered best practice to put literal IPs first, as they are faster for receivers to evaluate. Give this a try:
v=spf1 ip4:162.123.189.10 a mx include:_spf.google.com include:bluehost.com ~all
Rather than using google's checker, I'd recommend Scott Kitterman's site, which is more likely to be accurate (Scott is one of the authors of the SPF spec), and spotted this exact problem.
So I'm using mail-tester.com, which is great, except now I'm royally confused. The first time I ran a test, here's what it said (in the SPF section, where the problem is that: You are not allowed to use one of your sender email addresses)
What we retained as your current SPF record is:
v=spf1 a mx ~all
It should be changed to:
v=spf1 a mx ip4:some-ip-address ~all
Need guidance? Visit the guide for cloudflare.
When I clicked the link to the guide for CloudFlare, it literally said my new TXT record should be v=spf1 a mx ~all, which basically contradicted the previous page. So... perhaps the initial diagnostics page was specific guidance while the guide for CloudFlare was just general guidance, on where to put the record? Anyway, so I didn't have a TXT record with v=spf1 a mx ~all in CloudFlare (unusual again given the previous page said it had retained a SPF record as such), so I added it. It didn't do anything to fix my score.
So what I thought then was, OK let's follow the diagnostic's page's specific guidance and add the IP address. The next time I ran a test, I got:
What we retained as your current SPF record is:
v=spf1 a mx ip4:some-ip-address ~all
It should be changed to:
v=spf1 a mx ip4:some-ip-address ip4:different-ip-address ~all
Need guidance? Visit the guide for cloudflare.
And... you guessed it, following these instructions continually just gets me to a never ending cycle of new ip addresses being added to the record, but nothing actually changing my score. Like, now I'm at:
What we retained as your current SPF record is:
v=spf1 a mx ip4:some-ip-address ip4:different-ip-address ~all
It should be changed to:
v=spf1 a mx ip4:some-ip-address ip4:different-ip-address ip4:another-ip-address ~all
Need guidance? Visit the guide for cloudflare.
Has anyone else had experience with this? If you can't tell, I'm a total noob to SPF and have no idea how to fix this honestly. For context, My domain and mail are managed by Gandi, but redirected through CloudFlare, so CloudFlare is where my DNS records are actually kept.
When you say this:
v=spf1 a mx ~all
It says that the IP that resolves from your domain's A record, and any of the IPs designated as mail exchangers for your domain will receive an SPF pass status, and everything else will receive a softfail.
So, when you're getting that error, it means you're sending from somewhere that is not covered by that list of permitted sources, and so it's suggesting you add the sending IP to your record to allow it.
If you are sending from somewhere like gmail with a large pool of mail servers, the source address will change frequently, which would explain why it suggests a different IP each time.
There are two solutions to this:
Don't send using the external service and really send only from the IPs that you designate explicitly (i.e. that are covered by your a and mx options).
Use an SPF include directive to allow sending from a source that uses dynamic sending IPs.
In this latter case you would make your record something like:
v=spf1 a mx include:_spf.google.com ~all
While you say you're using cloudflare and gandi, you don't say where you're actually sending email from - if you're not using gmail then include the SPF from whichever other service you are using.
Update. Given an actual source IP of 217.70.183.200, we can see what's happening. Whois tells us that that IP belongs to gandi.net, and a lookup for gandi.net's SPF record returns this:
v=spf1 ip4:217.70.176.0/21 ip4:217.70.186.186/32 ip4:217.70.186.187/32 ip6:2001:4b98:c::/48 ip6:2001:4b98:dc2:43:216:3eff:fe69:f13/128 ip4:217.70.186.186/32 ip6:2001:4b98:dc2:90:217:70:186:186/128 ptr ?all
The first address range listed in there (ip4:217.70.176.0/21) covers the 217.70.183.200 address, so I suggest you set your SPF to this, which should solve your problem (and is exactly what I said in option 2 above):
v=spf1 a mx include:gandi.net include:_spf.google.com ~all
I need to create SPF records for my site for emails. I've created the following 4 entries:
I know from reading I should use the following 2 entries for Amazon:
"v=spf1 include:amazonses.com ?all"
"spf2.0/pra include:amazonses.com ?all"
Question:
- should I create 4 entries - 2 TXT and 2 SPF?
- I've named them spf1 and spf2 - is this ok? (I can't use TXT with no name as I'm already using this for another entry.
- Any other advise on how to setup these entries?
Domain: www.tradies.dating
thanks
Adam
In practice, neither of these records are necessary. Here's why:
The two records you've listed are SPF (v=spf1) and Sender-ID (spf2.0/pra). The latter protocol, Sender-ID, is now obsolete and this record is not required.
SPF works off the 'mfrom' address - that's the Return Path address. Amazon SES uses amazonses.com in the Return Path, meaning that receivers won't even check the SPF record you're creating. So it is not necessary to add it to the SPF record for your domain.
What you need to do is set up DKIM. Authenticating email from Amazon SES requires the use of Amazon's Easy DKIM system (http://docs.aws.amazon.com/ses/latest/DeveloperGuide/easy-dkim.html) .
You cannot have more than one SPF record, and naming them SPF1 and SPF2 will not work.
You should combine them into one string. https://serverfault.com/questions/586008/multiple-spf-records-for-multiple-domains shows how to do this.