Does adding another TXT record affect SPF authentication?

Duc Vo

5/15/24, 2:09 PM

I am using multiple mail services for my domain sliver.proteuslake.asia, such as Mailjet, Google, and Atlassian. I have already added three TXT records for my domain:

"v=spf1 include:spf.mailjet.com ?all"
"atlassian-sending-domain-verification=fb8692b2-027c-4abc-8ce7-311fd467211e"
"google-site-verification=DQ0PYy6fwkssvVgmuTx0-eU-kMGZoaCKvXX2wWTZD-I"

These records are used for different purposes, such as verifying my domain ownership and allowing Mailjet to send emails on my behalf.

I want to add another TXT record for a different purpose, but I am not sure if it will affect the SPF authentication method. SPF is an email authentication method that uses the DNS to authorize which IPs can send mail on behalf of my domain. The receiving mail server checks the SPF record of the sender's domain to verify that the sender's IP address is authorized.

Will adding another TXT record impact the SPF authentication method? If yes, how can I avoid it? If no, why not?

743

2 + 0

domain-name-system

spf

Score:9

Server

Reinto

5/15/24, 3:06 PM

It shouldn't

The receiving server will check for a single TXT record that starts with "v=SPF1". The number of TXT records at the domain level does not matter.

However, when the results of a DNS query are above a certain size, the DNS service will send back the first set of bytes and flag the response as truncated. This will prompt the client to retry the query over TCP instead of UDP. Since the SPF lookup for a domain is for any TXT records at the root of the domain, all TXT records are returned. So, when you publish many TXT records at the same domain as your SPF record, the chance increases you're exceeding the UDP limit.

This should not be an issue, per se. But, I've seen some TempErrors occur with some mailbox service providers where those do not attempt a second lookup over TCP. This can cause issues, for example when you have a restrictive DMARC policy set (p=reject or p=quarantine) and DKIM fails or isn't present. DMARC evaluation then relies on SPF results (and alignment) and an Error will fail it.

This answer explains the DNS behaviour better than I could: https://superuser.com/questions/1411657/why-dns-look-up-is-udp

Another way

Some services allow you to use a different (sub)domain for SPF checks than the domain used in the FROM header of the email. Since SPF is checked on the Return-Path address, where bounces are sent, you can use a different domain for your SPF record than where you publish the TXT verification records. This will also help towards staying away from the 10-lookup limit for SPF queries. Although not all service providers support such a setup, it will help reduce the size of the top level record when they do.

+ 1

TooTea

5/16/24, 8:05 AM

Most resolvers these days should support EDNS0 (required for DNSSEC) and thus be happy to work with bigger UDP packets, so the TCP fallback is not as common as it used to be.

Score:1

Server

joeqwerty

5/15/24, 2:32 PM

Does adding another TXT record affect your SPF record?

No, because other TXT records are unrelated to your SPF record.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Does adding another TXT record affect SPF authentication?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.