10-28-2019 08:40 AM
There is a ten lookup limit for SPF records. To get around this some companies are offering to host your SPF record on their server and replace the "includes" with the actual IP addresses of the remote email servers. This "flattens" the SPF record and gets around the ten lookup limit. The service frequently checks for updates to the includes and keeps the addresses updated. Has anybody ever used one of these services? I'm leery about having another company host any DNS record on my behalf. Also wondering if Infoblox would consider adding an SPF flattening feature to NIOS to get around the ten lookup limit.
I realize there are other ways to get around the ten lookup limit by placing third party mailers in a sub-domain. In large organizations it can be difficult to restructure the domains after the fact.
11-05-2019 09:08 AM - edited 11-06-2019 03:59 PM
11-05-2019 10:11 AM
I may write a bash shell script that monitors a dummy "spf" TXT record and continually checks to see if the DNS lookups change. If they do change, the script will update the "flattened" spf TXT record. Yes, I may do this next week. I will post it here.
11-20-2019 02:52 PM - edited 11-20-2019 02:56 PM
OK so I'm going to actually write something up to automatically (or semi-automatically) keep "SPF" records flattened. The SPF record is really a TXT record but I will be referring to it as an SPF record. This script will be Linux-based. Here are my thoughts and I would appreciate any input from Infoblox users on this.
I'll need to store the unflattened SPF record somewhere where it's easily accessible. I think it's best to store it in DNS as a TXT record but it can't be stored as a legit "SPF" TXT record. Maybe start the TXT record with v=unflattenedspf instead of v=spf1. That way it can be easily accessed and modified in a normal way. You just have to remember to not edit the legit flattened SPF record because it is kept updated by this script.
The script can be configured to run at specific intervals like every 5 min, every hour or once per day.
When the script runs it will query the flattened SPF record and the unflattened SPF record using a simple DNS query. It will then check the unflattened SPF record for any "include" statements and resolve them thereby generating a new flattened SPF record. The newly flattened SPF record would be compared to the flattened SPF record that was just queried from DNS. If the two flattened SPF records are the same, the script would exit or continue on the the next SPF record that needs to be checked. If the two records are not the same that means the SPF "includes" changed and the real SPF record needs to be updated. In this case the script would take one of two actions:
1) Send an email notification the SPF record has changed, don't make any changes but list the differences and list what the new SPF record should be. This would be handy if you only want to do manual changes.
2) Do the above AND automatically update the real SPF record via the Infoblox web API.
The script would need to check the length of the TXT string to ensure it does not exceed 255 characters. If the TXT string exceeds 255 characters, the script would have to be smart enough to break up the text into smaller chunks using double quotes. I plan on starting this next week. If anybody has any suggestions, feel free to update this thread. This script could work with BIND and not just the Infoblox API.
We've already hit the ten lookup limit so I need to get this going.
11-27-2019 01:22 AM
Found a couple of scripts from the Internet which you could use for resolving the issue as you mentioned in the thread.
Thought it would be better to edit any one of the below scripts than starting from scratch.
Python script > https://pypi.org/project/sender-policy-flattener/
Perl script > https://github.com/oasys/mkspf
PS: Both the scripts mentioned above were found from a quick Internet search and I am not the owner of any of the above two scripts.