In <0a0e01c457af$56eb48d0$cd855140(_at_)h2ttp> "Erik Aronesty"
<info(_at_)zoneedit(_dot_)com> writes:
Suppose I've got 30 "valid relay" IP's to list. What's the best way to
construct a "large" SPF record? Can you have multiple TXT's? Can you have
There are quite a few ways of solving this problem.
* Use CIDR notations
Instead of listing each individual IP address, list the CIDR block
that they are in. so, instead of saying "v=spf1 ip4:1.2.3.0
ip4:1.2.3.1" say "v=spf1 ip4:1.2.3.0/31". If you control a larger
CIDR block and the MTAs are scattered within them, it is still
usually safe to list the entire CIDR block. You can usually trust
your own machines not to forge email with your domain name.
* create a pseudo-MX or A record
You can create an MX or A record that points to all the valid host
names (if you use the MX), or IP addresses (if you use the A).
For example:
mx._spf.example.com MX 1 london-mx.example.com
MX 1 chicago-mx.example.com
MX 1 hongkong-mx.example.com
Then you can have an SPF record of "v=spf1 mx:mx._spf.example.com"
The underscore in the domain name prevents it from being a valid
host name and therefore MTAs won't allow email to be sent to it. It
isn't a real MX host, it is just there to collect names.
There is a limit to the number of MX records you can fit into a DNS
packet without causing it to fall back to TCP, which is much more
expensive. The exact number will vary depending on your host names,
how many name servers you have, etc. Usually the limit is something
like 10, plus or minus 5.
* Use include:
You can use the include: mechanism to break up the SPF record. For
example:
example.com TXT "v=spf1 include:a._spf.example.com
include:b._spf.example.com"
a._spf.example.com TXT "v=spf1 ip4:1.2.3.4 ip4:2.3.4.5 ...."
b._spf.example.com txt "v=spf1 ip4:10.2.3.4 ip4 20.3.4.5 ..."
* Use exists:
You can use the exists: mechanism to create an in-addr type DNS
tree. For example:
example.com TXT "v=spf1 exists:%{ir}._spf.example.com"
4.3.2.1._spf.example.com A 127.0.0.2
5.4.3.2._spf.example.com A 127.0.0.2
4.3.2.10._spf.example.com A 127.0.0.2
5.4.3.20._spf.example.com A 127.0.0.2
This is the most general way and can be extended to any number of IP
addresses. The down side is that it doesn't use the DNS cache as
well.
* Use a combination of the above.
-wayne