[anti-abuse-wg] SPF Record - Number of included DNS lookups

Hi All,

I know it's slightly off topic, but does anyone have any contacts who might be willing/able to discuss/review the (I think) excessive number of DNS lookups in their SPF records (like a mail service customer might "include:" in their own SPF record)?

The problem is that if you are a customer of more than one of these suppliers, and you include their SPF record in your SPF record, it's too easy to breach the 10 DNS lookup limit, which could lead to random email loss (recipient MTAs giving up on DNS lookups and bouncing/rejecting legit mails).  An example of unnecessary nested includes, the _spf.google.com TXT record(s), expanded: -

_spf.google.com descriptive text "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"
_netblocks.google.com descriptive text "v=spf1 ip4:64.18.0.0/20 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:207.126.144.0/20 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all"
_netblocks2.google.com descriptive text "v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all"
_netblocks3.google.com descriptive text "v=spf1 ip4:172.217.0.0/19 ~all"

These SPF records are perfectly able to live in a single, long DNS record (longer than 255 characters - simply by separating them with '" " ' (an end quote, a space, a start quote and a space) - these breaks are not seen in the final record - See: https://kb.isc.org/article/AA-00356/0/Can-I-have-a-TXT-or-SPF-record-longer-than-255-characters.html

You can easily check the number of lookups an SPF record includes, using http://mxtoolbox.com/SuperTool.aspx?action=spf# and I've created some test subdomains off my personal domain, so I can demo the issue & show that the multi-include SPF records, can be a single DNS record.  I've padded-out my record with my own DNS lookups, so the number is right for the demo.

spf-bad.furrie.net descriptive text "v=spf1 a mx a:home.furrie.net a:office.furrie.net a:remote.furrie.net ip4:82.38.144.35 include:_spf.google.com include:mailgun.org -all"
SPF Included Lookups    Too many included lookups (13)

I've created local records that duplicate the google and mailgun SPF records, but each service in a single record, separated into <255 character sections (note the breaks, which are not seen in the final record): -

spf-google.furrie.net descriptive text "v=spf1 ip4:64.18.0.0/20 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:207.126.144.0/20 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19" " ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ip4:172.217.0.0/19 ~all"
spf-mailgun.furrie.net descriptive text "v=spf1 ip4:173.193.210.32/27 ip4:50.23.218.192/27 ip4:174.37.226.64/27 ip4:208.43.239.136/30 ip4:184.173.105.0/24 ip4:184.173.153.0/24 ip4:104.130.122.0/23 ip4:209.61.151.0/24 ip4:166.78.68.0/22 ip4:198.61.254.0/23 ip4:192.237.158.0/23" " ip4:23.253.182.0/24 ip4:23.253.183.0/24 ip4:104.130.96.0/28 -all"

spf-good.furrie.net descriptive text "v=spf1 a mx a:home.furrie.net a:office.furrie.net a:remote.furrie.net ip4:82.38.144.35 include:spf-google.furrie.net include:spf-mailgun.furrie.net -all"
SPF Included Lookups    Number of included lookups is OK

The following are just a few examples that I've come across, this week: -

_spf.google.com - SPF contains 3 additional includes
spf.messagelabs.com - SPF contains 2 additional includes
spf.protection.outlook.com - SPF contains 2 additional includes
_spf.salesforce.com - SPF contains 1 additional include
mailgun.org - SPF contains 2 additional includes

There appears to be absolutely no need for any of these domain's SPF (TXT) records to have any nested "include:" elements - they can all be created as single TXT records, with appropriate breaks in the record, to keep them <255 characters per section.  Even the monster Google record's resultant DNS lookup result is well under the old 512 byte UDP limit.

Anyway, thanks for reading, if you did.

Kind Regards,
--

[http://intycascade.com/intycascade.png]<http://www.inty.com/>

Chris Phillips
Systems Analyst
Service Operations
Email: chris.phillips at inty.com<mailto:chris.phillips at inty.com>
Skype: chris.phillips at inty.com<sip:chris.phillips at inty.com>
Tel: +44 1454 640 532

EU: 170 Aztec West, Bristol, BS32 4TN, UK
USA: 2018 156th Ave NE, Suite 100, Bellevue, Washington 98007
www.intycascade.com<http://www.intycascade.com>
[Facebook]<https://www.facebook.com/pages/intY-Ltd/214746668551167>

[Twitter]<https://twitter.com/intYCASCADE>

[LinkedIn]<https://www.linkedin.com/company/inty-ltd>

[YouTube]<https://www.youtube.com/user/intYTV>


________________________________

[Exclaimer Cloud - Signatures for Office 365]<http://www.intycascade.com/services/exclaimer/>


________________________________
Information in and attached to this electronic mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this electronic mail by anyone else is unauthorised. If you are not the intended recipient any use, disclosure, copying, distribution or any other action in relation to this message is prohibited and may be unlawful. If you have received this message in error, please notify the sender immediately by return e-mail, and immediately and permanently delete it without making any copies or disclosing the contents to any other person. When addressed to our customers, any information contained in this electronic mail or in any attachment is subject to intY's Terms & Conditions<http://www.intycascade.com/about-us/terms-and-conditions/>. We have scanned this electronic mail for viruses but we do not represent or warrant it to be virus free and recommend that you carry out your own virus checks on the electronic mail and any attachments.

intY Ltd is a Limited Company, registered in England and Wales at 170 Aztec West, Bristol, BS32 4TN. Company Number: 3438922.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/anti-abuse-wg/attachments/20160916/fc49d7e7/attachment.html>