spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Length of txt records

2004-06-21 11:36:46
from [wayne] [Permanent Link] 
In <0a0e01c457af$56eb48d0$cd855140(_at_)h2ttp> "Erik Aronesty" 
<info(_at_)zoneedit(_dot_)com> writes:


Suppose I've got 30 "valid relay" IP's to list.  What's the best way to
construct a "large" SPF record?  Can you have multiple TXT's?  Can you have


There are quite a few ways of solving this problem.

* Use CIDR notations
  
  Instead of listing each individual IP address, list the CIDR block
  that they are in.  so, instead of saying "v=spf1 ip4:1.2.3.0
  ip4:1.2.3.1" say "v=spf1 ip4:1.2.3.0/31".  If you control a larger
  CIDR block and the MTAs are scattered within them, it is still
  usually safe to list the entire CIDR block.  You can usually trust
  your own machines not to forge email with your domain name.

* create a pseudo-MX or A record

  You can create an MX or A record that points to all the valid host
  names (if you use the MX), or IP addresses (if you use the A).

  For example:

  mx._spf.example.com  MX  1 london-mx.example.com
                    MX  1 chicago-mx.example.com
                    MX  1 hongkong-mx.example.com

  Then you can have an SPF record of "v=spf1 mx:mx._spf.example.com"

  The underscore in the domain name prevents it from being a valid
  host name and therefore MTAs won't allow email to be sent to it.  It
  isn't a real MX host, it is just there to collect names.

  There is a limit to the number of MX records you can fit into a DNS
  packet without causing it to fall back to TCP, which is much more
  expensive. The exact number will vary depending on your host names,
  how many name servers you have, etc.  Usually the limit is something
  like 10, plus or minus 5.

* Use include: 

  You can use the include: mechanism to break up the SPF record.  For
  example:

  example.com  TXT  "v=spf1 include:a._spf.example.com
                     include:b._spf.example.com"
  a._spf.example.com TXT "v=spf1 ip4:1.2.3.4 ip4:2.3.4.5 ...."
  b._spf.example.com txt "v=spf1 ip4:10.2.3.4 ip4 20.3.4.5 ..."

* Use exists:

  You can use the exists: mechanism to create an in-addr type DNS
  tree.  For example:

  example.com TXT "v=spf1 exists:%{ir}._spf.example.com"

  4.3.2.1._spf.example.com A 127.0.0.2
  5.4.3.2._spf.example.com A 127.0.0.2
  4.3.2.10._spf.example.com A 127.0.0.2
  5.4.3.20._spf.example.com A 127.0.0.2

  This is the most general way and can be extended to any number of IP
  addresses.  The down side is that it doesn't use the DNS cache as
  well.


* Use a combination of the above.


-wayne
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: a grand unified theory of MARID (blame me!), Greg Connor
Next by Date:  Re: Length of txt records, wayne
Previous by Thread:  Re: Length of txt records, Hector Santos
Next by Thread:  RE: Length of txt records, Ryan Malayter
Indexes:  [Date] [Thread] [Top] [All Lists]