Managing Sender Policy Framework (SPF) entries (Part 1)

Managing the Sender Policy Framework (SPF) entries can be time-consuming in more complex environments, as there are a few things to consider:

• The SPF entries should be checked regularly and checked for up-to-dateness
• All mail servers sending under the sender domain must be included in the SPF entry; in particular, third-party solutions such as CRM, web servers, smart hosts, etc. must be checked here
• If DNS names are included in the SPF record (e.g. with Include), then no more than 10 DNS lookups may be performed until an IP has been determined
• An SPF entry must not be longer than 255 characters
• A domain may only have one SPF entry

The SPF entry has become very important for sending emails. Most providers and recipients reject mails from servers that are not in the SPF of the domain. Mails from domains without an SPF entry will also usually end up directly in spam. Google and Yahoo have been using February 2024 DKIM and SPF.

The following example shows my SPF entry:

In my case it is still quite simple, because there are only three entries in the SPF: A web server with an IP, a mail relay and Office 365. Behind the scenes, however, this already leads to 4 DNS lookups:

For my domain, administration is not yet a major effort, as I basically only have to ensure that the one entry with the IP address 185.3.235.230 is up to date. The remaining entries are maintained by providers such as Microsoft for Office 365.

In larger environments with many different mail systems, however, a problem quickly arises: only a maximum of 10 DNS lookups may be performed to determine the IP address of the mail server. Some providers publish their SPF entries somewhat unfavorably, as can be seen here, for example:

Here you can see an SPF which in turn contains an entry for IPv4 and one for IPv6 addresses. If I were to add this provider, I would already have a total of 7 DNS lookups. There is not much room for improvement. Incidentally, something like the example above is even worse, as there are often host names in the entries. The limit of 10 lookups is therefore quickly reached.

Smoothed or flattened SPF entries

To avoid the limit of 10 DNS lookups, flattened SPF records are often used (both mean the same thing). In principle, it is simple: All domains in the SPF record are resolved and the IP addresses are entered directly in the SPF record. For my domain frankysweb.de, for example, the flattened entry would look like this:

v=spf1 ip4:185.3.235.230 ip4:46.243.95.179 ip4:46.243.95.180 ip4:128.127.70.0/26 ip4:89.22.108.0/24 ip4:192.162.87.0/24 ip4:109.237.142.0/24 ip4:46.243.88.174 ip4:46.243.88.175 ip4:46.243.88.176 ip4:46.243.88.177 ip4:40.92.0.0/15 ip4:40.107.0.0/16 ip4:52.100.0.0/15 ip4:52.102.0.0/16 ip4:52.103.0.0/17 ip4:104.47.0.0/17 -all

As you can see here, all DNS names that were previously included have simply been translated directly into the IPs. This means that a DNS lookup no longer needs to be performed. In larger environments, the limit of 10 DNS lookups can thus be circumvented.

However, here comes the next restriction: An SPF entry can only be a maximum of 255 characters long. The SPF entry above is already 321 characters long.

I would have to create an SPF entry for the domain frankysweb.de and split the IPs into two SPF entries, which I can then include in the domain SPF via Include. This may sound more complicated than it is, so here is an example:

The domain frankysweb.de receives the following SPF entry:

frankysweb.de. IN TXT "v=spf1 include:_spf1.frankysweb.de include:_spf2.frankysweb.de -all"

As can be seen here, two DNS entries are included here via Include (_spf1.frankysweb.de and _spf2.frankysweb.de). This leads to 2 DNS lookups. There are now IP lists behind the DNS entries _spf1.frankysweb.de and _spf2.frankysweb.de:

_spf1.frankysweb.de. IN TXT "v=spf1 v=spf1 ip4:185.3.235.230 ip4:46.243.95.179 ip4:46.243.95.180 ip4:128.127.70.0/26 ip4:89.22.108.0/24 ip4:192.162.87.0/24 ip4:109.237.142.0/24 ip4:46.243.88.174 ip4:46.243.88.175 ip4:46.243.88.176 ip4:46.243.88.177 ip4:40.92.0.0/15 -all"

and

_spf2.frankysweb.de. IN TXT "v=spf1 ip4:40.107.0.0/16 ip4:52.100.0.0/15 ip4:52.102.0.0/16 ip4:52.103.0.0/17 ip4:104.47.0.0/17 -all"

The first entry has 242 characters, the second 101 characters. The limits are therefore adhered to and all is well with the world. The principle behind flattened / smoothed / compressed SPF records (or whatever you want to call it) is actually quite simple: Take all DNS records from the SPF, determine the IPs from them and divide them into as few DNS records as possible.

However, this has one disadvantage: you have to keep a close eye on your SPF entries. For example, if Microsoft changes the entry behind spf.protection.outlook.com, then I also have to adjust my flattened SPFs for frankysweb.de. I must therefore be aware of changes from third-party providers and, in this case, also add new IPs to my SPFs or delete old IPs, while keeping an eye on several DNS entries and the number of characters and the lookup limit. This is hardly possible without automation.

Let's take a look at the possibilities for automation then in part 2 to.