Score:1

How to configure DNS SPF records for many subdomains

cn flag

I have a domain name, say example.com, and many servers (potentially hundreds), each with a public IP and a sub domain (sub1.example.com, sub2.example.com, etc.). Each server hosts a Postfix installation. The goal here is to be able to send emails from any server (not to receive emails). There's however no email server attached to the main domain itself (example.com)

Now I'm trying to setup the SPF entries in the DNS, but I'm a bit stuck. I've tried many combinations but they always end up with a SPF SOFTFAIL when trying to send an email to gmail. Also, how to workaround the limitations on the length of the SPF record with that many servers/IP is unclear to me.

Adding some more context (even though I've accepted Bob's answer).

The idea is to have a very redundant architecture, where any server can fail and the system as a whole will keep working (at least for email sending). I don't have control on the range of IP addresses : the servers will be provisioned in multiple countries and with multiple providers. I've tried defining an SPF entry for the main domain name only.

                     600 IN TXT    "v=spf1 mx ~all"

When sending to Gmail I get a SOFTFAIL error for SPF validation, the email being sent from a subdomain (like sub1.domain.com)

I then tried to add the sender IP address in the record:

                      600 IN TXT    "v=spf1 mx ip4:server_ip ~all"

But I end up with the same SOFTFAIL error. Also tried to add another SPF entry for the subdomain, but as far as I understand, only one SPF entry should be created :-/ I also tried to include: the domain names, with the same result.

Any help or guidance would be appreciated :-)

anx avatar
fr flag
anx
"tried many combinations" -- please [edit] your question to be specific about what you want to accomplish, what you tried, and why specifying your IP blocks exceeds the limitations.
Score:2
td flag
bob

It depends a bit on what your aims are, and which problems you into.

There are several SPF mechanisms to match classes of hosts without enumerating all hosts directly in the SPF record, for example:

  • the ip4 mechanism and equivalent ip6 mechanism to match subnets when all your servers belong to one or more IP-address ranges that are exclusively yours:

    ip4:<ip4-network>/<prefix-length>
    ip6:<ip6-network>/<prefix-length>
    
  • you can create a single A record (for example bob.example.com) that contains all IPv4 A and/or IPv6 AAAA records (in round-robin fashion) of the servers that you wish to allow to send mail directly over IPv4 resp. IPv6 and refer to that in your SPF record:

    “v=spf1 a:bob.example.com. ~all”
    
    bob.example.com.  IN A     10.0.0.1
    bob.example.com.  IN A     192.168.0.1
    bob.example.com.  IN A     172.16.0.2
    bob.example.com.  IN AAAA  2001:db8:ffff:ffff:ffff:ffff:ffff:fff1 
    
  • the include keyword can be used when your SPF record becomes too long to fit in a single DNS record. For example the current Gmail/Google SPF record does not directly include any IP ranges but includes those from three additional records:

    _spf.google.com.  300 IN  TXT "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"
    
    _netblocks.google.com.    300 IN  TXT "v=spf1 ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all"
    
    _netblocks2.google.com.   300 IN  TXT "v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all"
    
    _netblocks3.google.com.   300 IN  TXT "v=spf1 ip4:172.217.0.0/19 ip4:172.217.32.0/20 ip4:172.217.128.0/19 ip4:172.217.160.0/20 ip4:172.217.192.0/19 ip4:172.253.56.0/21 ip4:172.253.112.0/20 ip4:108.177.96.0/19 ip4:35.191.0.0/16 ip4:130.211.0.0/22 ~all"
    

An alternative is to NOT allow all your hosts to send email directly. Set up one or more servers as dedicated mail relays and authorise only those in your SPF. All other servers you then configure to use those relays hosts.

Pascal Ognibene avatar
cn flag
Hi Bob,Thank you for your answer, this sheds some light on the possible solutions. Given that I could ultimately have up to 200 servers, it looks like the best alternative is the last one : to not allow all of them to send email directly - otherwise I will probably end up in limitations with the size of the SPF record, even when using additional records. Thank you again, this was most helpful. Pascal
Score:1
us flag

Your description of your use case is not complete enough. But if your goal is to send email from *@example.com from any of those servers, then the SPF ptr mechanism is designed precisely for this use case.

You would set up proper reverse DNS 1.2.3.4 → sub1.example.com → 1.2.3.4, for each of the subdomain servers.

Then you would install the following SPF record at the main domain example.com:

v=spf1 ptr -all

That is all.

The advantage of this over other approaches is that it is easy to set up, does not run into lookup limits, and scales to an arbitrary number of subdomain hosts.

The disadvantage is that it is somewhat at odds with the prescriptions of the SPF RFC: RFC 7208 discourages use of the ptr mechanism. However, an argument can be made that the wording there is too severe, and given your use case usage of ptr is acceptable. See also my question 1063826.

Pascal Ognibene avatar
cn flag
My goal is indeed to be able to send email from any server attached to a sub domain, like sub1.example.com, sub2.example.com. However, the receiver of the email should see only example.com as the sender (even though the real sender is visible in the raw email). I did configure reverse DNS both for ipv4 and ipv6, and added an A and a AAAA entries in the DNS for my subdomain (let's call it sub1.example.com). I tried your suggestion with ``` v=spf1 ptr -all ``` And indeed I now pass the SPF check on Gmail :-)
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.