Query general acceptability of long SPF records

exMSW4319 · ‎03-12-2018

Apologies if this is only on-topic in as much as I'm an Ironport customer with domains to protect, but...

If I publish a long SPF record (i.e. between 250 and ~470 characters long) then will I face a potential problem with its acceptability? I'm pushing entries for test domains through Dmarcian and they claim that the records are acceptable. However, I'm still nervous that a minority of gateways will struggle to correctly read a long record. Are these fears misplaced?

Yes, I'm already chaining records through multiple includes and for other reasons I'm also pushing my lookup allowance to the limit, hence the need to use every last byte that is available.

Libin Varghese · ‎03-12-2018

I haven't seen length of the SPF record to be an issue as long as it complies with RFC.

There is max 10 DNS lookup as per SPF specification, but nothing much on lengthy SPF records.

It would be subject to testing how far you can push it and if any issues show up as a result of just that.

Regards,

Libin Varghese

Mathew Huynh · ‎03-12-2018

Adding to this:

---
If you attempt to create an SPF or TXT record with a long string (>255 characters) in it, BIND will give an error (e.g. "invalid rdata format: ran out of space".) Strings in SPF and TXT records should be no longer than 255 characters. However to get around this limitation, per RFC 4408 a TXT or SPF record is allowed to contain multiple strings, which should be concatenated together by the reading application.

---

Note: RFC 4408 is obsolete as covered by : https://tools.ietf.org/html/rfc7208 however the above still holds true. (Section 3.3 Multiple Strings in a single DNS record).

A single SPF string should not exceed 255 characters.

Regards,

Matthew

exMSW4319 · ‎03-13-2018

I believe the problem is with UDP which imposes that string limit. Fortunately our ISP's DNS tool appears to handle this for us, as it's real DNS records I'm asking Dmarcian to survey.

Now I can take that a step further and go from using domain names we've banked to old domains our RAT still honours, which would allow me to test these records against my version of Asyncos and the major freemailers. The off-topic element of this discussion was really if anyone knew of other systems that had issues handling SPF records between 250 and 470 characters length.

exMSW4319 · ‎03-13-2018

Yes, as soon as third parties come into the equation the ten-lookup limit becomes a serious problem, because their Include may have further Include mechanisms of its own and you (the domain owner) then have to worry about how they might change their records in the future. Naturally it is always other parts of the organisation that sign up for these services and then say "Oh! Could you please add..."

One thing we didn't realise until I really started pushing records to the limit is that A mechanisms also count as a lookup. It rapidly becomes a game of "I wonder how static that A record is?", and I've had to convert a number of ours to IP4 mechanisms instead.

Mathew Huynh · ‎03-13-2018

Hey exMSW4319,

Unfortunately I haven't had/seen any issues of long SPF strings at this stage; i've seen some VERY long entries with a large amount of IPs and it worked as expected so long as they were separated with a comma (from my experience).

SPF lookup exceeding 10 always triggers a PermError and you are right, with third parties involved it makes it harder to control, but it's how the feature is designed.