SPF Limitations & Sending Domain Strategy A marketing automation customer recently reported confusing and intermittent SPF failures. Upon initial investigation, their SPF entry looked fine. When I looked into it in more detail, I found a cascading issue that ultimately involved multiple other companies, and some difficult decisions relating to email sending strategy. To avoid hitting SPF limitations, corporate and production sending domains should be kept separate. First, let’s back up a little bit and talk about Sender Policy Framework (SPF). Nearly ten years old, this email validation system allows recipient mail servers to trust that a given message is authorized by the domain in the From: address field. This was intended to reduce damaging phishing attacks by criminals who can easily fake the From: address to send fraudulent messages that appear trustworthy. As third party email sending systems became more and more common, receivers needed a way to determine which messages were fraudulent, and which were authorized messages sent from a third party. To generalize, SPF works by including a list of authorized email sending systems in the DNS of a domain. This list can specify authorized email sending systems by directly including an IP address or range, or by using a DNS lookup mechanism. Since computers only know how to interact with IP addresses, a lookup mechanism forces the receiving system to look up the IP address that should be included. While direct IP listings are limited only by the inherent limitations of DNS, these lookup mechanisms are limited to 10 in an attempt to reduce load on DNS servers. This lookup limit might not be so hard to work around if listings couldn’t cascade, but they do. In other words, if company1.com’s SPF listing includes company2.com, and company2.com’s SPF listing includes company3.com, company1.com is also counted as including company3.com. This can get extraordinarily complex, causing chains of SPF failures for multiple companies due to including each other’s lookups. To get back to the story I started with, it eventually turned out that despite using only 3 lookup mechanisms in their own SPF, my customer was actually including a startling 30 total lookups due to this cascading effect! Most systems will fail SPF after they receive the first 10 lookup results, so this customer’s SPF was failing whenever we weren’t one of the first 10 to respond. One of the reasons there are so many lookups is that one of the 3 companies my customer is listing in their entry appears to be using the same domain for their corporate and production mail. This company (we’ll call them Corp.com) uses hosted email for their corporate email, and multiple third party sending systems. Their website and corporate mail are at Corp.com, as are their third party CRM and marketing automation messages. They also send email on behalf of their own customers, and use the Corp.com domain to do so. Even without considering the cascading lookups from Corp.com, they started out with 17 lookups. Counting their cascading lookups, they were at 25. About half of these lookups were due to their corporate and marketing automation mail, while the other half were due to systems necessary for their production mail. Had they separated these by using a separate domain for corporate and production mail, they could have prevented this issue. By using the same domain for both, they have doomed their customers to SPF failures. To make matters worse, one of the lookups Corp.com was using included another company that was doing the same thing. As of this writing, the issue still isn’t resolved. Each of the companies involved in this must make some difficult choices about what they can continue to include, and what they must separate to send from a different domain. It’s a difficult issue to explain, much less resolve. Let there be a lesson in this: when choosing which domains to send mail from, separate your corporate sending from your production sending. It just might save you a lot of heartache. Source: http://blog.deliverability.com/2013/03/spf-limitations-sending-domain-strategy.html
