SPF record longer than 255 characters in AWS Route53Email sent from server with rDNS & SPF being blocked by HotmailSPF Records - mechanism not recognized by this client. unknown mechanisms:How to include multiple domains in an spf TXT Recordset Google Apps SPF record in Amazon AWS Route 53Is using SOFTFAIL over FAIL in the SPF record considered best practice?SPF Record - Sender server SPF record permerrorCannot find solution to “One or more of your nameservers did not return any of your NS records.” on intoDNS siteHow can I have an SPF record longer than 255 characters?Reverse DNS for 2 different domainsPostfix: proper configurations - main.cf, DNS, DKIM
Can a 40amp breaker be used safely and without issue with a 40amp device on 6AWG wire?
How do credit card companies know what type of business I'm paying for?
How do I say what something is made out of?
Boss making me feel guilty for leaving the company at the end of my internship
For Saintsbury, which English novelists constituted the "great quartet of the mid-eighteenth century"?
Background for black and white chart
Co-worker is now managing my team. Does this mean that I'm being demoted?
Is it possible to install Firefox on Ubuntu with no desktop enviroment?
How do you translate “talk shit”?
How did the European Union reach the figure of 3% as a maximum allowed deficit?
The title "Mord mit Aussicht" explained
What is the color associated with lukewarm?
Is there a maximum/optimum amount of ERC-721 that can be issued per contract?
Should I worry about having my credit pulled multiple times while car shopping?
Are there any rules for identifying what spell an opponent is casting?
How can Caller ID be faked?
Why not make one big CPU core?
Does an African-American baby born in Youngstown, Ohio have a higher infant mortality rate than a baby born in Iran?
Does anyone recognize these rockets, and their location?
How long would it take for sucrose to undergo hydrolysis in boiling water?
Do items with curse of vanishing disappear from shulker boxes?
How many possible starting positions are uniquely solvable for a nonogram puzzle?
How to remove multiple elements from Set/Map AND knowing which ones were removed?
What does the output current rating from an H-Bridge's datasheet really mean?
SPF record longer than 255 characters in AWS Route53
Email sent from server with rDNS & SPF being blocked by HotmailSPF Records - mechanism not recognized by this client. unknown mechanisms:How to include multiple domains in an spf TXT Recordset Google Apps SPF record in Amazon AWS Route 53Is using SOFTFAIL over FAIL in the SPF record considered best practice?SPF Record - Sender server SPF record permerrorCannot find solution to “One or more of your nameservers did not return any of your NS records.” on intoDNS siteHow can I have an SPF record longer than 255 characters?Reverse DNS for 2 different domainsPostfix: proper configurations - main.cf, DNS, DKIM
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I saw that there's been a couple questions on here that ask the same thing. However, personally, I don't grasp the hint provided. Yes, I've seen https://kb.isc.org/docs/aa-00356 and it only made things worst for me. I use AWS Route53 for our DNS/TXT records. Please help me understand how I can add include:spf.mandrillapp.com to my TXT record using "include:" examples rather than IP addresses. Thanks in advanced sorry I'm new to DNS.
"v=spf1 ip4:206.190.89.129/27 ip4:54.86.80.254/32 ip4:13.111.0.56/32" include:mail.zendesk.com include:stspg-customer.com include:_spf.google.com include:et._spf.pardot.com include:sendgrid.net include:spf.mandrillapp.com include:mailsenders.netsuite.com ~all"
domain-name-system spf amazon-route53
edited May 30 at 19:42
sysadmin1138♦
118k17148282
asked May 30 at 17:23
Matthew MorcaldiMatthew Morcaldi
83
add a comment |
I saw that there's been a couple questions on here that ask the same thing. However, personally, I don't grasp the hint provided. Yes, I've seen https://kb.isc.org/docs/aa-00356 and it only made things worst for me. I use AWS Route53 for our DNS/TXT records. Please help me understand how I can add include:spf.mandrillapp.com to my TXT record using "include:" examples rather than IP addresses. Thanks in advanced sorry I'm new to DNS.
"v=spf1 ip4:206.190.89.129/27 ip4:54.86.80.254/32 ip4:13.111.0.56/32" include:mail.zendesk.com include:stspg-customer.com include:_spf.google.com include:et._spf.pardot.com include:sendgrid.net include:spf.mandrillapp.com include:mailsenders.netsuite.com ~all"
domain-name-system spf amazon-route53
edited May 30 at 19:42
sysadmin1138♦
118k17148282
asked May 30 at 17:23
Matthew MorcaldiMatthew Morcaldi
83
add a comment |
I saw that there's been a couple questions on here that ask the same thing. However, personally, I don't grasp the hint provided. Yes, I've seen https://kb.isc.org/docs/aa-00356 and it only made things worst for me. I use AWS Route53 for our DNS/TXT records. Please help me understand how I can add include:spf.mandrillapp.com to my TXT record using "include:" examples rather than IP addresses. Thanks in advanced sorry I'm new to DNS.
"v=spf1 ip4:206.190.89.129/27 ip4:54.86.80.254/32 ip4:13.111.0.56/32" include:mail.zendesk.com include:stspg-customer.com include:_spf.google.com include:et._spf.pardot.com include:sendgrid.net include:spf.mandrillapp.com include:mailsenders.netsuite.com ~all"
domain-name-system spf amazon-route53
edited May 30 at 19:42
sysadmin1138♦
118k17148282
asked May 30 at 17:23
Matthew MorcaldiMatthew Morcaldi
83
I saw that there's been a couple questions on here that ask the same thing. However, personally, I don't grasp the hint provided. Yes, I've seen https://kb.isc.org/docs/aa-00356 and it only made things worst for me. I use AWS Route53 for our DNS/TXT records. Please help me understand how I can add include:spf.mandrillapp.com to my TXT record using "include:" examples rather than IP addresses. Thanks in advanced sorry I'm new to DNS.
"v=spf1 ip4:206.190.89.129/27 ip4:54.86.80.254/32 ip4:13.111.0.56/32" include:mail.zendesk.com include:stspg-customer.com include:_spf.google.com include:et._spf.pardot.com include:sendgrid.net include:spf.mandrillapp.com include:mailsenders.netsuite.com ~all"
domain-name-system spf amazon-route53
domain-name-system spf amazon-route53
edited May 30 at 19:42
sysadmin1138♦
118k17148282
asked May 30 at 17:23
Matthew MorcaldiMatthew Morcaldi
83
edited May 30 at 19:42
sysadmin1138♦
118k17148282
asked May 30 at 17:23
Matthew MorcaldiMatthew Morcaldi
83
edited May 30 at 19:42
sysadmin1138♦
118k17148282
edited May 30 at 19:42
sysadmin1138♦
118k17148282
edited May 30 at 19:42
sysadmin1138♦
118k17148282
118k17148282
asked May 30 at 17:23
Matthew MorcaldiMatthew Morcaldi
83
asked May 30 at 17:23
Matthew MorcaldiMatthew Morcaldi
83
asked May 30 at 17:23
Matthew MorcaldiMatthew Morcaldi
83
83
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
This is typically handled by creating multiple TXT records. You can see _spf.google.com do it.
"v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"
In your case you would create new TXT records similar to...
spf1.example.com 300 IN TXT "v=spf1 include:mail.zendesk.com include:stspg-customer.com include:_spf.google.com ~all"
spf2.example.com 300 IN TXT "v=spf1 include:et._spf.pardot.com include:sendgrid.net include:spf.mandrillapp.com include:mailsenders.netsuite.com ~all"
And set your SPF record to something like...
"v=spf1 ip4:206.190.89.129/27 ip4:54.86.80.254/32 ip4:13.111.0.56/32 include:spf1.example.com include:spf2.example.com ~all"
The danger to records this large is that the SPF RFC 7208 says in section 4.6.4 that only 10 modifiers that require DNS lookups will be honored by systems doing SPF checks. The google SPF record I quoted includes huge lists of netblocks specifically to avoid hitting this limit, and the rest of your includes all point to netblocks. The SPF record you quoted is at 7 all by itself, and the google include adds 3 more (they have a lot of netblocks).
You're at 10 already. Unfortunately, using the method I mention here will add two more and put you into the zone where mail receivers may not fully query all of your authorized netblocks. You're fast approaching the area where SPF stops being a viable method of control and you'll need to do something like dmarc in order to get the non-repudiation you need. In that case you'd use an SPF record with "v=spf1 +all" which tells mailers that you don't actually care who sends your email and you're using something else. When paired with dkim and DMARC, you get the nonrepudation features you're looking for.
answered May 30 at 19:35
sysadmin1138♦sysadmin1138
118k17148282
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f969535%2fspf-record-longer-than-255-characters-in-aws-route53%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
This is typically handled by creating multiple TXT records. You can see _spf.google.com do it.
"v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"
In your case you would create new TXT records similar to...
spf1.example.com 300 IN TXT "v=spf1 include:mail.zendesk.com include:stspg-customer.com include:_spf.google.com ~all"
spf2.example.com 300 IN TXT "v=spf1 include:et._spf.pardot.com include:sendgrid.net include:spf.mandrillapp.com include:mailsenders.netsuite.com ~all"
And set your SPF record to something like...
"v=spf1 ip4:206.190.89.129/27 ip4:54.86.80.254/32 ip4:13.111.0.56/32 include:spf1.example.com include:spf2.example.com ~all"
The danger to records this large is that the SPF RFC 7208 says in section 4.6.4 that only 10 modifiers that require DNS lookups will be honored by systems doing SPF checks. The google SPF record I quoted includes huge lists of netblocks specifically to avoid hitting this limit, and the rest of your includes all point to netblocks. The SPF record you quoted is at 7 all by itself, and the google include adds 3 more (they have a lot of netblocks).
You're at 10 already. Unfortunately, using the method I mention here will add two more and put you into the zone where mail receivers may not fully query all of your authorized netblocks. You're fast approaching the area where SPF stops being a viable method of control and you'll need to do something like dmarc in order to get the non-repudiation you need. In that case you'd use an SPF record with "v=spf1 +all" which tells mailers that you don't actually care who sends your email and you're using something else. When paired with dkim and DMARC, you get the nonrepudation features you're looking for.
answered May 30 at 19:35
sysadmin1138♦sysadmin1138
118k17148282
add a comment |
This is typically handled by creating multiple TXT records. You can see _spf.google.com do it.
"v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"
In your case you would create new TXT records similar to...
spf1.example.com 300 IN TXT "v=spf1 include:mail.zendesk.com include:stspg-customer.com include:_spf.google.com ~all"
spf2.example.com 300 IN TXT "v=spf1 include:et._spf.pardot.com include:sendgrid.net include:spf.mandrillapp.com include:mailsenders.netsuite.com ~all"
And set your SPF record to something like...
"v=spf1 ip4:206.190.89.129/27 ip4:54.86.80.254/32 ip4:13.111.0.56/32 include:spf1.example.com include:spf2.example.com ~all"
The danger to records this large is that the SPF RFC 7208 says in section 4.6.4 that only 10 modifiers that require DNS lookups will be honored by systems doing SPF checks. The google SPF record I quoted includes huge lists of netblocks specifically to avoid hitting this limit, and the rest of your includes all point to netblocks. The SPF record you quoted is at 7 all by itself, and the google include adds 3 more (they have a lot of netblocks).
You're at 10 already. Unfortunately, using the method I mention here will add two more and put you into the zone where mail receivers may not fully query all of your authorized netblocks. You're fast approaching the area where SPF stops being a viable method of control and you'll need to do something like dmarc in order to get the non-repudiation you need. In that case you'd use an SPF record with "v=spf1 +all" which tells mailers that you don't actually care who sends your email and you're using something else. When paired with dkim and DMARC, you get the nonrepudation features you're looking for.
answered May 30 at 19:35
sysadmin1138♦sysadmin1138
118k17148282
add a comment |
This is typically handled by creating multiple TXT records. You can see _spf.google.com do it.
"v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"
In your case you would create new TXT records similar to...
spf1.example.com 300 IN TXT "v=spf1 include:mail.zendesk.com include:stspg-customer.com include:_spf.google.com ~all"
spf2.example.com 300 IN TXT "v=spf1 include:et._spf.pardot.com include:sendgrid.net include:spf.mandrillapp.com include:mailsenders.netsuite.com ~all"
And set your SPF record to something like...
"v=spf1 ip4:206.190.89.129/27 ip4:54.86.80.254/32 ip4:13.111.0.56/32 include:spf1.example.com include:spf2.example.com ~all"
The danger to records this large is that the SPF RFC 7208 says in section 4.6.4 that only 10 modifiers that require DNS lookups will be honored by systems doing SPF checks. The google SPF record I quoted includes huge lists of netblocks specifically to avoid hitting this limit, and the rest of your includes all point to netblocks. The SPF record you quoted is at 7 all by itself, and the google include adds 3 more (they have a lot of netblocks).
You're at 10 already. Unfortunately, using the method I mention here will add two more and put you into the zone where mail receivers may not fully query all of your authorized netblocks. You're fast approaching the area where SPF stops being a viable method of control and you'll need to do something like dmarc in order to get the non-repudiation you need. In that case you'd use an SPF record with "v=spf1 +all" which tells mailers that you don't actually care who sends your email and you're using something else. When paired with dkim and DMARC, you get the nonrepudation features you're looking for.
answered May 30 at 19:35
sysadmin1138♦sysadmin1138
118k17148282
This is typically handled by creating multiple TXT records. You can see _spf.google.com do it.
"v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"
In your case you would create new TXT records similar to...
spf1.example.com 300 IN TXT "v=spf1 include:mail.zendesk.com include:stspg-customer.com include:_spf.google.com ~all"
spf2.example.com 300 IN TXT "v=spf1 include:et._spf.pardot.com include:sendgrid.net include:spf.mandrillapp.com include:mailsenders.netsuite.com ~all"
And set your SPF record to something like...
"v=spf1 ip4:206.190.89.129/27 ip4:54.86.80.254/32 ip4:13.111.0.56/32 include:spf1.example.com include:spf2.example.com ~all"
The danger to records this large is that the SPF RFC 7208 says in section 4.6.4 that only 10 modifiers that require DNS lookups will be honored by systems doing SPF checks. The google SPF record I quoted includes huge lists of netblocks specifically to avoid hitting this limit, and the rest of your includes all point to netblocks. The SPF record you quoted is at 7 all by itself, and the google include adds 3 more (they have a lot of netblocks).
You're at 10 already. Unfortunately, using the method I mention here will add two more and put you into the zone where mail receivers may not fully query all of your authorized netblocks. You're fast approaching the area where SPF stops being a viable method of control and you'll need to do something like dmarc in order to get the non-repudiation you need. In that case you'd use an SPF record with "v=spf1 +all" which tells mailers that you don't actually care who sends your email and you're using something else. When paired with dkim and DMARC, you get the nonrepudation features you're looking for.
answered May 30 at 19:35
sysadmin1138♦sysadmin1138
118k17148282
answered May 30 at 19:35
sysadmin1138♦sysadmin1138
118k17148282
answered May 30 at 19:35
sysadmin1138♦sysadmin1138
118k17148282
answered May 30 at 19:35
sysadmin1138♦sysadmin1138
118k17148282
118k17148282
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f969535%2fspf-record-longer-than-255-characters-in-aws-route53%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
