07-20-2016 06:27 AM - edited 07-20-2016 06:27 AM
I assume there is a 255 character limit on TXT records? SPF record is currently 252 and when I add an additional domain it throws "invalid data." If that is the case I need to get around that limit but not sure how. Best practice is to not have multiple SPF records but at this point it looks to be my only option.
Can anyone confirm?
07-21-2016 06:00 AM
If I recall correctly, you can create a longer SFP record through dynamic DNS (nsupdate) and it will actually be stored as seperate SFP records.
I tested it on my system with the following nsupdate command run from my Mac terminal:
update add local 86400 TXT v=spf1include:spf.protection.outlook.com ip4:188.8.131.52/24 ip4:184.108.40.206/24 ip4:220.127.116.11/24 ip4:18.104.22.168 ip4:7917.235.50 ip4:22.214.171.124 ip4:126.96.36.199/28 ip4:188.8.131.52 ip4:184.108.40.206/28 ip4:220.127.116.11/29 ip4:18.104.22.168/29~all
I believe that was the entire string you are trying to add, correct me if I am wrong.
If I try to resolve it:
bshelston$ dig @192.168.2.219 TXT local
; <<>> DiG 9.10.1 <<>> @192.168.2.219 TXT local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29491
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;local. IN TXT
;; ANSWER SECTION:
local. 86400 IN TXT "v=spf1include:spf.protection.outlook.com" "ip4:22.214.171.124/24" "ip4:126.96.36.199/24" "ip4:188.8.131.52/24" "ip4:184.108.40.206" "ip4:220.127.116.11" "ip4:18.104.22.168" "ip4:22.214.171.124/28" "ip4:126.96.36.199" "ip4:188.8.131.52/28" "ip4:184.108.40.206/29" "ip4:220.127.116.11/29~all"
;; Query time: 29 msec
;; SERVER: 192.168.2.219#53(192.168.2.219)
;; WHEN: Thu Mar 17 15:14:34 EDT 2016
;; MSG SIZE rcvd: 311
The entire TXT comes back.
You will need to modify the zone to allow updates from the client workstation that is issuing these commands.
I hope this helps.
07-28-2016 07:28 AM
I can just create another SPF record then via the GUI? I was under the impression that multiple SPF records weren't considered ideal. But if it returns both SPF records as one then I guess it doesn't matter?
Can you confirm it created multiple SPF records or a single one with > 255 characters?
08-23-2016 04:22 PM
RFC 4408 states a TXT or SPF record is allowed to contain multiple strings, which should be concatenated together by the application that is reading it. Here is an example from the RFC:
"v=spf1 ip4:18.104.22.168/16 ip4:22.214.171.124/24 ip4:126.96.36.199/24 ip4:188.8.131.52 ip4:184.108.40.206/24 ip4:220.127.116.11/24 ip4:18.104.22.168/24 ip4:22.214.171.124/24 ip4:126.96.36.199/24 ip4:188.8.131.52/24 ip4:184.108.40.206/32 ip4:220.127.116.11/30 ip4:18.104.22.168 ip4:22.214.171.124/31 ip4:126.96.36.199 ip4:188.8.131.52 ip4:184.108.40.206"
" ip4:220.127.116.11/24 ip4:18.104.22.168/30 ip4:22.214.171.124/30 ip4:126.96.36.199 ip4:188.8.131.52 ip4:184.108.40.206 ip4:220.127.116.11 include:thirdparty.net -all"
The spacing after the " " is important and make sure to verify after that change.
I was able to achieve this in my environment which contains a lot of IP addresses.
11-28-2016 02:22 PM
We hit what looks like internal Inofblox limitation of 512 butes on managing TXT records (even when they split into strings <255).
Our SPF TXT record is >512 and works fine with current BIND. But trying to import the zone using DIW failed with:
"Alarm: Severity=major; Text=Failed to insert record, error: The TXT string total length cannot exceed 512 characters; Component=proofpoint.com; Subsystem=external"
Similarly, trying to add it with WebUI gives error.
Thanks for DDNS suggestion I found here. I tried this and it worked!
I was able to add >512 TXT record to the zone as "dynamic". Note, I had to remove all double quotes from original line and DDNS split it into words making each a separate string:
$ dig +short proofpoint.com @10.100.1.120 txt
"v=spf1" "ip4:18.104.22.168" "ip4:22.214.171.124" "ip4:126.96.36.199" "ip4:188.8.131.52/24" "ip4:184.108.40.206/24" "ip4:220.127.116.11" "ip4:18.104.22.168" "ip4:22.214.171.124" "ip4:126.96.36.199" "ip4:188.8.131.52" "ip4:184.108.40.206" "ip4:220.127.116.11" "ip4:18.104.22.168" "ip4:22.214.171.124" "ip4:126.96.36.199" "ip4:188.8.131.52" "ip4:184.108.40.206" "a:support1.proofpoint.com" "include:i.ppops.net" "include:mktomail.com" "include:spf.ihance.net" "include:_spf.salesforce.com" "ip4:220.127.116.11" "include:spf-00148501.pphosted.com" "include:spf-00148503.pphosted.com" "?all"