0

I have these 3 spf txt records to add recommended for different email providers to be addeed to my DNS TXT records to avoid spamming by DMARC: 

"v=spf1 mx a include:_spf.getresponse.com -all"

"v=spf1 include:emsd1.com ~all"

"v=spf1 include:spf.protection.outlook.com ip4:195.76.207.18 -all"

What will be the best way to merge them. After reading several forums I finished with these 2 options:

Option A. Merge all in a single TXT record as recommended on here:

"v=spf1 mx a include:_spf.getresponse.com include:spf.protection.outlook.com ip4:195.76.207.18 include:emsd1.com ~all"

vs

"v=spf1 mx a include:_spf.getresponse.com include:spf.protection.outlook.com ip4:195.76.207.18 include:emsd1.com -all"

or OPTION B. Creating 3 SPF records and declare them on an initial SPF: as it is described here

Initial SPF: sampledomain.com TXT

v=spf1 include:spf1.sampledomain.com include:spf2.sampledomain.com include:spf3.sampledomain.com all"

3 SPF records:

spf1.sampledomain.com TXT

v=spf1 mx a include:_spf.getresponse.com -all

spf2.sampledomain.com TXT

v=spf1 include:emsd1.com ~all

spf2.sampledomain.com TXT

v=spf1 include:spf.protection.outlook.com ip4:195.76.207.18 -all

What option should I choose without exceeding the number of 10 look ups?

Additionally, I don't know how to figure it out the number of lookups?

Thanks indded

tadman
  • 208,517
  • 23
  • 234
  • 262
Jose Gallo
  • 134
  • 1
  • 9

1 Answers1

1

Either way will work, but combining them is probably the simplest.

The key here is to get all of the rules incorporated in your top-level TXT record. An include: directive is one way, but as you note it's limited in depth, so you should avoid using it unless it's a necessity (e.g. provider specified) not as a way to organize things on your end.

I'm sure you'll also appreciate having all the rules in one places vs. having to edit three arbitrarily named records that split things up for no particular reason.

tadman
  • 208,517
  • 23
  • 234
  • 262
  • Thanks @tadman. Yes I think it will be better having them in a single record. Do you know if I exceed the 10 lookups limit? – Jose Gallo Apr 22 '19 at 17:05
  • It really depends on what you include, you'd have to follow up with those to see their footprint. – tadman Apr 22 '19 at 17:08
  • Hi @tadman again, How I can do the follow up of lookups, do you know some source/reference to learn how to do it? – Jose Gallo Apr 22 '19 at 17:11
  • You basically do it manually unless you have a tool to do it for you. For each `include:x` you'd do `dig TXT x` and look for the SPF record, then follow any `include:` statements in there. – tadman Apr 22 '19 at 17:12
  • 1
    There's testing tools [like this](https://mxtoolbox.com/SuperTool.aspx?action=spf%3alinkedin.com&run=networktools) which might help. – tadman Apr 22 '19 at 17:15
  • Thanks @tadman that helps! I more question you maybe can help me with. If i test the SPF record of the emailmarketing provider v=spf1 mx a include:_spf.getresponse.com -all with the domain associated on https://www.kitterman.com/spf/validate.html? in the sintaxis test I get this error" The result of the test (this should be the default result of your record) was, ambiguous . The explanation returned was, SPF Ambiguity Warning: No A records found for: cs10161.servidoresdns.net" Do you know what is cause for and if how to solve it? – Jose Gallo Apr 22 '19 at 17:29
  • Seems like something you're referencing in one of those SPF records doesn't resolve to an A record, which means it's a bogus entry. If it's not in your record, contact the provider which is telling you to include it so they can fix it. You can test their SPF records directly, like test `x` for `include:x`. – tadman Apr 22 '19 at 17:47
  • It is not my record, the record comes from getresponse (the emailmarketing provider). I tested on the kitterman tool and gave me that error, I will contact them. Thanks for all your help. – Jose Gallo Apr 22 '19 at 17:59
  • 1
    Sounds like it's worth taking it up with them as they may not be aware they have a dead entry in their SPF record. Hope that works out! – tadman Apr 22 '19 at 18:00
  • 1
    One minor thing - it’s a good idea to put any literal IP mechanisms (`ip4` and `ip6`) first because they are fastest to evaluate for receivers (they don’t require DNS lookups). – Synchro Apr 23 '19 at 05:53
  • If the referenced IPs are unlikely to change then perhaps, but if you're using a service where it may change from time to time, then no. – tadman Apr 23 '19 at 17:23
  • 1
    I'd suggest removing the `a` and `mx` tags from the SPF, unless you actually use them to send emails. Otherwise they cause unnecessary lookups in your SPF record and move you closer to the 10 lookups limit of SPF. Kitterman probably reports ambiguity based on those, not the actual include for `_spf.getresponse.com`. – Reinto May 06 '19 at 06:56