This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] SPF Record - Number of included DNS lookups
- Previous message (by thread): [anti-abuse-wg] anti-abuse-wg Digest, Vol 59, Issue 11
- Next message (by thread): [anti-abuse-wg] anti-abuse-wg Digest, Vol 59, Issuزe 14
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Chris Phillips
Chris.Phillips at inty.com
Fri Sep 16 15:50:33 CEST 2016
Hi All, I know it's slightly off topic, but does anyone have any contacts who might be willing/able to discuss/review the (I think) excessive number of DNS lookups in their SPF records (like a mail service customer might "include:" in their own SPF record)? The problem is that if you are a customer of more than one of these suppliers, and you include their SPF record in your SPF record, it's too easy to breach the 10 DNS lookup limit, which could lead to random email loss (recipient MTAs giving up on DNS lookups and bouncing/rejecting legit mails). An example of unnecessary nested includes, the _spf.google.com TXT record(s), expanded: - _spf.google.com descriptive text "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all" _netblocks.google.com descriptive text "v=spf1 ip4:64.18.0.0/20 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:207.126.144.0/20 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all" _netblocks2.google.com descriptive text "v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all" _netblocks3.google.com descriptive text "v=spf1 ip4:172.217.0.0/19 ~all" These SPF records are perfectly able to live in a single, long DNS record (longer than 255 characters - simply by separating them with '" " ' (an end quote, a space, a start quote and a space) - these breaks are not seen in the final record - See: https://kb.isc.org/article/AA-00356/0/Can-I-have-a-TXT-or-SPF-record-longer-than-255-characters.html You can easily check the number of lookups an SPF record includes, using http://mxtoolbox.com/SuperTool.aspx?action=spf# and I've created some test subdomains off my personal domain, so I can demo the issue & show that the multi-include SPF records, can be a single DNS record. I've padded-out my record with my own DNS lookups, so the number is right for the demo. spf-bad.furrie.net descriptive text "v=spf1 a mx a:home.furrie.net a:office.furrie.net a:remote.furrie.net ip4:82.38.144.35 include:_spf.google.com include:mailgun.org -all" SPF Included Lookups Too many included lookups (13) I've created local records that duplicate the google and mailgun SPF records, but each service in a single record, separated into <255 character sections (note the breaks, which are not seen in the final record): - spf-google.furrie.net descriptive text "v=spf1 ip4:64.18.0.0/20 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:207.126.144.0/20 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19" " ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ip4:172.217.0.0/19 ~all" spf-mailgun.furrie.net descriptive text "v=spf1 ip4:173.193.210.32/27 ip4:50.23.218.192/27 ip4:174.37.226.64/27 ip4:208.43.239.136/30 ip4:184.173.105.0/24 ip4:184.173.153.0/24 ip4:104.130.122.0/23 ip4:209.61.151.0/24 ip4:166.78.68.0/22 ip4:198.61.254.0/23 ip4:192.237.158.0/23" " ip4:23.253.182.0/24 ip4:23.253.183.0/24 ip4:104.130.96.0/28 -all" spf-good.furrie.net descriptive text "v=spf1 a mx a:home.furrie.net a:office.furrie.net a:remote.furrie.net ip4:82.38.144.35 include:spf-google.furrie.net include:spf-mailgun.furrie.net -all" SPF Included Lookups Number of included lookups is OK The following are just a few examples that I've come across, this week: - _spf.google.com - SPF contains 3 additional includes spf.messagelabs.com - SPF contains 2 additional includes spf.protection.outlook.com - SPF contains 2 additional includes _spf.salesforce.com - SPF contains 1 additional include mailgun.org - SPF contains 2 additional includes There appears to be absolutely no need for any of these domain's SPF (TXT) records to have any nested "include:" elements - they can all be created as single TXT records, with appropriate breaks in the record, to keep them <255 characters per section. Even the monster Google record's resultant DNS lookup result is well under the old 512 byte UDP limit. Anyway, thanks for reading, if you did. Kind Regards, -- [http://intycascade.com/intycascade.png]<http://www.inty.com/> Chris Phillips Systems Analyst Service Operations Email: chris.phillips at inty.com<mailto:chris.phillips at inty.com> Skype: chris.phillips at inty.com<sip:chris.phillips at inty.com> Tel: +44 1454 640 532 EU: 170 Aztec West, Bristol, BS32 4TN, UK USA: 2018 156th Ave NE, Suite 100, Bellevue, Washington 98007 www.intycascade.com<http://www.intycascade.com> [Facebook]<https://www.facebook.com/pages/intY-Ltd/214746668551167> [Twitter]<https://twitter.com/intYCASCADE> [LinkedIn]<https://www.linkedin.com/company/inty-ltd> [YouTube]<https://www.youtube.com/user/intYTV> ________________________________ [Exclaimer Cloud - Signatures for Office 365]<http://www.intycascade.com/services/exclaimer/> ________________________________ Information in and attached to this electronic mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this electronic mail by anyone else is unauthorised. If you are not the intended recipient any use, disclosure, copying, distribution or any other action in relation to this message is prohibited and may be unlawful. If you have received this message in error, please notify the sender immediately by return e-mail, and immediately and permanently delete it without making any copies or disclosing the contents to any other person. When addressed to our customers, any information contained in this electronic mail or in any attachment is subject to intY's Terms & Conditions<http://www.intycascade.com/about-us/terms-and-conditions/>. We have scanned this electronic mail for viruses but we do not represent or warrant it to be virus free and recommend that you carry out your own virus checks on the electronic mail and any attachments. intY Ltd is a Limited Company, registered in England and Wales at 170 Aztec West, Bristol, BS32 4TN. Company Number: 3438922. -------------- next part -------------- An HTML attachment was scrubbed... URL: </ripe/mail/archives/anti-abuse-wg/attachments/20160916/fc49d7e7/attachment.html>
- Previous message (by thread): [anti-abuse-wg] anti-abuse-wg Digest, Vol 59, Issue 11
- Next message (by thread): [anti-abuse-wg] anti-abuse-wg Digest, Vol 59, Issuزe 14
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]