Partial Safe SPF for Non-flattenable SPF Includes

Home Partial Safe SPF for Non-flattenable SPF Includes

Partial Safe SPF for Non-flattenable SPF Includes

20th Feb 2024 SPF SPF PermError Too Many DNS Lookups

While Safe SPF overcomes the 10-DNS-lookup limit in SPF, sometimes it's desirable to flatten only a part of your SPF record, while leaving the rest as is. If this is the case, you can use partial Safe SPF.

One good reason for this is that some email delivery services like HelpScout, Office 365, Atlassian, and Zendesk require that their SPF records be explicitly specified.

For example, in order to have Office 365 send emails on your behalf, you need to specify:

include:spf.protection.outlook.com

explicitly in your SPF record. If such an include is not found in the SPF record, you will see some warning along the lines of:

The record we detected doesn't match all the expected values. We queried these
nameservers for the records: ns-1342.awsdns-39.org, ns-1873.awsdns-42.co.uk

We didn't detect that you added new records to yourdomain.com. Make sure the
records you created at your host exactly match the records shown here. If they do, please
wait for our system to detect the changes. This usually takes around 10 minutes, although
some DNS hosting providers require up to 48 hours.

Your domain must have a DNS record that matches the expected record for your
Microsoft 365 services to run smoothly. We recommend “copy and paste” to avoid
errors.

View step-by-step instructions to add TXT DNS records

TXT name TXT value TTL
Expected record v=spf1 include:spf.protection.outlook.com -all
Invalid entry v=spf1 include:_u.mydomain.com._spf.dmarcly.com -all

Similarly, Atlassian requires their SPF include in your top-level SPF record, as indicated below:

Zendesk requires that too, otherwise it says "SPF does not include Zendesk Support", as shown below:

Let's take the Office 365 scenario as an example. It's easy enough to use partial Safe SPF to solve this problem. In this particular case, you only need to leave out include:spf.protection.outlook.com for the Safe SPF process, then add it back in after the Safe SPF record is generated.

Here is how it works. Your original SPF record looks like this:

v=spf1 include:service1.com include:service2.com include:explicitservice.com -all

You only need to flatten service1.com and service2.com, but not explicitservice.com. Partial Safe SPF can help here.

You need to run the following original SPF record:

v=spf1 include:service1.com include:service2.com -all

through Safe SPF. That is, flatten only service1.com and service2.com, while leaving explicitservice.com out of the record.

Now you've generated and published the Safe SPF record on your domain like this:

v=spf1 include:_u.yourdomain.com._spf.dmarcly.com -all

This record contains all the IP addresses from service1.com and service2.com. We now need to add explicitservice.com, so that the record looks like:

v=spf1 include:_u.yourdomain.com._spf.dmarcly.com include:explicitservice.com -all

Once the above SPF record is published on your domain, it contains all the IP addresses from all the 3 services. What's more, explicitservice.com is explicitly specified in the SPF record.

Previous Post Next Post