Do's and Don'ts for multiple SPF records

SPF is an abbreviation for Sender Policy Framework, and it is used to verify the legitimacy of emails. It is necessary to employ SPF records, which are TXT documents. The following section will discuss how to avoid having frequent SPF difficulties. The topic of the second most frequently encountered error will be the creation of multiple SPF records for a single domain.

First rule: One SPF record for one domain

In RFC4408, it is explicitly specified that a domain name must not contain multiple records that cause an authorization check to be performed in order for the user to choose multiple records.

Having several text SPF entries for your domain will result in the receiving server rejecting your domain. The majority of the time, DNS TXT record duplication is an inadvertent error. SPF authentication will fail if there are several SPF records on a single domain.

How do I verify my SPF record?

Utilize a specialized tool to verify the SPF record associated with your domain. Looking at MailSlurp.mx's SPF record provides some of the details of how they work using the dig command on unix or mac:

dig -t txt mailslurp.mx

We use the -t txt flag to request TXT records. TXT records can contain SPF values. The result for MailSlurp's mx server is the following:

; <<>> DiG 9.16.1-Ubuntu <<>> -t txt mailslurp.mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19171
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;mailslurp.mx.			IN	TXT

;; ANSWER SECTION:
mailslurp.mx.		600	IN	TXT	"v=spf1 include:amazonses.com -all"

;; Query time: 32 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sun Jan 16 10:04:55 NZDT 2022
;; MSG SIZE  rcvd: 87

Note the SPF answer for MailSlurp is mailslurp.mx. 600 IN TXT "v=spf1 include:amazonses.com -all". Let us chfind other ways to check SPF recods.

Other ways to verify SPF records

MXToolbox SPF Check

Exchange SPF Record Check is a tool that thoroughly examines the SPF record. To begin, enter your domain name or IP address in the appropriate field. You can also look at MX records, DNS records, sender reputation, and other information.

Easy DMARC SPF Lookup

The SPF Record Lookup prioritizes the retrieval of domain names. The SPF Lookup Tree contains all of the necessary and optional lookups.

LookUp SPF Records by Agari

LookUp SPF Records by Agari It only displays the legitimate records as well as some general knowledge like the number of DNS probing techniques and IP addresses allowed.

Hand checking SPF records

Manually check the SPF record utilizing nslookup. To do so, execute nslookup -type=txt domain-name>. There can be just one v=spf1 entry.

What to do after finding multiple SPF records in your domain

Duplicate SPF records should be promptly rectified if you use a major mail server like Microsoft Exchange or Gmail. Smaller email companies rarely have sophisticated features, so you'll have to handle this yourself. The ideal method is to combine both DNS TXT entries. To do so, populate the new entry with data from the old one.

Handling SPF records correctly

• Multiple SPF record syntax includes merging, but there are other significant points.
• Limiting DNS lookups: The total number of DNS lookup techniques and modifiers cannot exceed ten. Include, a, MX, ptr [deprecated], existing, and redirect all yield one lookup. SPF authentication fails if this number is exceeded.
• Consider nested include mechanisms.
• SPF record character constraints: You should also consider the 255-character limit for single SPF records.

Conclusion

A correctly constructed SPF record is only one component of dependable email delivery. The DMARC record and DKIM signatures are also factors. Check our dedicated blog entries for setup. So whether it is a multiple SPF record office 365 or an exchange SPF record check, you now know how to work through it.