1

I need some help with set up the SPF record. When I created the SPF record just like this:

v=spf1 a mx include:_spf.google.com include:getresponse.com ~all

When I run this for a test:

https://toolbox.googleapps.com/apps/checkmx/check?domain=workwithchrisonline.com&dkim_selector=

Obviously it give me an error: SPF record must be in the correct format.

I have also tried this:

"v=spf1 +a +mx +ip4:104.xxx.xxx.xxx +include:_spf.google.com +include:getresponse.com ~all"

I dont know why I get an error. Are there anything you can do to help me how I can solve this?

Robert Jones
  • 101
  • 4

1 Answers1

3

Short answer: your SPF record has too many DNS lookups. You have included getresponse.com in your SPF record which in turn has its own include records in its SPF record which requires additional lookups.

Per the SPF RFC

SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier.

You can test/validate your SPF record before updating your DNS by using the following URL: https://www.kitterman.com/spf/validate.html

You can check to see how many DNS lookups your SPF record is incurring by entering your domain name at https://emailstuff.org/spf/check. In your case your SPF record is causing 13 DNS lookups which is obviously greater than 10.

If you don't need getresponse.com then I would suggest taking it out.

v=spf1 a mx include:_spf.google.com -all

I would also suggest reading up on the difference between ~, -, +, and ? in your SPF record. For a good explanation see openspf.org. Once you have the SPF validated you want to change the ~all to -all to strictly enforce SPF rules. With a ~all, other servers will still be able to send email using your domain.

Tim Liston
  • 696
  • 3
  • 8
  • thank you for your advice. Do I need to use `-all` or `~all` and also do I need to use `+a`, `+mx` and `ip4:104.xxx.xxx.xxx` or not?? how long it will take to update it? – Robert Jones Sep 30 '18 at 16:27
  • You should use `-all`. You can keep the `a`, but the purpose of having the `a` is to allow all hosts with A records in your DNS to send email. In my environment we do not do this. The same goes for the `mx`, but you've already included _spf.google.com which will cover them. This would only really be helpful if you have another mx record in your DNS that you want to allow to send email. – Tim Liston Sep 30 '18 at 17:10
  • Thank you very much for your help. Do you know how long it will take for the SPF records to be update? – Robert Jones Sep 30 '18 at 17:28
  • Looks like it has already updated: https://mxtoolbox.com/SuperTool.aspx?action=spf%3aworkwithchrisonline.com – Tim Liston Sep 30 '18 at 17:36
  • thank you, but i cant see it have not been update on `https://www.kitterman.com/spf/validate.html`. Do you know why? – Robert Jones Sep 30 '18 at 17:39
  • It's dependent on the TTL of your SPF record in your DNS. Usually the default is 3600 seconds (or 60 minutes). You will want to check your DNS record settings to determine the value for your record. – Tim Liston Sep 30 '18 at 17:47
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/83871/discussion-between-tim-liston-and-robert-jones). – Tim Liston Sep 30 '18 at 17:56