How are you all handling SPF/DKIM record requests?
Posted by RNG_HatesMe@reddit | sysadmin | View on Reddit | 62 comments
Now that email sending authentication seems to be a thing, we are getting inundated with requests from users using outside services to add SPF and DKIM records so these services can send email "from" our organization. These are legitimate services (constant contact, qualtrics, someone setting up a web service managed by one of our groups), that legitimately want to send mail "as" our domain.
I've been told that there is a limit of 10 SPF lookups per domain before there may be SPF lookup failures. I'm already on 6 added SPF records on a single domain. What are you all allowing, and what are the alternatives?
Evs91@reddit
3rd party provider to flatten the records. Mimecast, MXToolbox, etc. Also, I put my foot down on doing the TLD unless needed. We are at maybe 3 or 4 subdomains now - it’s much easier to manage this way.
god_fucking@reddit
Mailing subdomains. The hardest part is nesting calls within the call.
The other route if your org allows. Mimecast offers SPF delegation for something like 4k a year. Its what were using now and you can have unlimited calls. Its so nice.
CriticalMine7886@reddit
That might explain why Mimecast is also one of the culprits of cascading SPF's - you add their one and the then expand it to another bunch - 6 if I recall.
god_fucking@reddit
I think it’s 4, could be wrong. But the four are to each of their global centers. The main one calls one for eu, na, etc.
CriticalMine7886@reddit
There is a root SPF
_netblocks
that calls
eu.
us.
za.
de.
au.
ca.
so it consumes 7 of your 10 (I just went and queried our SPF record to check)
_keyboardDredger@reddit
Though it’s worth highlighting in most cases all outbound mail will route through the nominated local infrastructure hosting your account. E.g if your account is EU hosted exclusively with Mimecast you should only include the eu.* lookup.
_netblocks allows simplified global setup instructions that’ll cover 90% of customers without complication.
CriticalMine7886@reddit
worth knowing - for the moment I have some headroom, but if things get tight I'll remove the redundant options.
Thanks
god_fucking@reddit
Lol man. Brutal.
CriticalMine7886@reddit
Yeah - by the time we added Salesforce, our corporate spam company, and our on-premises exchange (because O365 started rejecting internal mail without it), well, you get the idea; I hit 11 very quickly.
Top tip though, if you have Saleforce sending email for your domain don't bother with their SPF record, it never aligns anyway, just set up the DKIM. DMARC only needs one of them to pass so you still get a green flag. Same with MailChimp. Concentrate SPF just for those providers who can't do DKIM (and try to get your marketing teams to accept they don't have to use your main email domain, they can use a sub domain or custom domain)
hardingd@reddit
I’m dealing with this right now because our sister companies all send bulk emails from the root domain as well as support emails. Three senders. I’ve expressed the need move those to subdomains but one day, they will get blacklisted 🤷
KimJongEeeeeew@reddit
They get the records for a subdomain.
ScriptThat@reddit
Thats what we do too.
xXNorthXx@reddit
This. Every 3rd party or department gets its own mailing subdomain. Cause problems, it only blacklists the subdomain and not the whole org. This also lets you roll out DKIM and dmarc for services individually as they support it.
mahsab@reddit
No one is blacklisting domains anyway
KimJongEeeeeew@reddit
Except for “ai” filters that are really just heuristics engines. Blacklisting of domains as a broad tool is less prevalent, but that means the domain level blocking is devolved down to the filtering provider or individual organisation.
The same business risk exists for having your sender reputation reduced but now at a recipient’s end, so now you have to try to manage that at multiple places not just a few blacklist providers.
(Obviously we don’t actually do that, but that’s part of the suite of arguments that Marketing are provided when they come wanting yet another startup with a mailer service to be authorised on the primary corporate domain.
bbqwatermelon@reddit
This. I am of the opinion that only human users genuinely sending from parent domains is an attainable goal and should be the gold standard.
KimJongEeeeeew@reddit
That’s a really good way to position it, I’m gonna add that to my arsenal of hows and whys
Polar_Ted@reddit
That's how we do it. Just set another new subdomain for a mail service last week.
accidentalciso@reddit
This.
ExceptionEX@reddit
We do this, we us a generic notifications.domain and some departmenta subs. Marketing domain.
Normal-Difference230@reddit
hmmm do I offer Marketing marking.domain.com or spam.domain.com, decisions decisions.
AlphabetAlphabets@reddit
They're the same picture
RNG_HatesMe@reddit (OP)
Hmm, that's an interesting approach! I will bring that up.
1996Primera@reddit
its the ONLY option you should provide. This way when marketing gets the domain blacklisted its not the whole org & only their crap :)
RNG_HatesMe@reddit (OP)
Good observation!
LookAtThatMonkey@reddit
Subdomains or SPF flattening.
autogyrophilia@reddit
Slightly offtopic, but while I understand the 10 DNS lookups limit for SPF logic (avoid DoS), I do not understand why there hasn't been any noise to increase it to a more reasonable 20-50 now that people are not really hosting their own email anymore .
It is not hard to flatten a SFP record directly or indirectly, but that sort of goes against the point of allowing DNS records.
mahsab@reddit
Not hosting your email just adds one entry
autogyrophilia@reddit
What I mean is that many companies are no longer running their own relays for all their services instead relying on external vendors.
External vendors who may have a lot of include:
And whose entries likely won't be cleared when the service stops being used ...
jamesaepp@reddit
Because at that point you're better off to use macros.
Silent_Villan@reddit
SPF Flattening. Lots of services out there that offer it.
Pretty much makes one look up that contains all the addresses.
So if you had 5 lookups with 10 addresses/subnets in each one. It makes one look up to 50 addresses/submets
Most of the services auto update automatically.
uninspired@reddit
SPF flattening is the technical solution if you actually need it. The reality is they almost always can/should be using subdomains.
ReputationNo8889@reddit
Or be like us. Have 80+ SPF entries no one knows what they are beeing used for
awnawkareninah@reddit
Yeah, autospf is what we use and it's cheap and easy.
11CRT@reddit
We looked at Mimecast, and to upgrade to it wasn’t cost effective.
We started looking into SPF flattening when we kept getting a naughty checkbox on our security review because we had 12 includes in our SPF record. In the end management didn’t think it was worth $4k (I think our quote was closer to $5500), just for having two records over the security report.
redyellowblue5031@reddit
DKIM wherever possible, SPF as a backup ideally with its own subdomain.
povlhp@reddit
Subdomain only. Nothing is allowed to hurt main domain.
They can use reply-to to a real address.
Most of what you mention sound like enterprise apps we would never approve.
freddieleeman@reddit
Don't use SPF flattening, use subdomains or SPF macros: https://www.uriports.com/blog/spf-macros-max-10-dns-lookups/
fdeyso@reddit
Subdomains, they’re not allowed to send as main domain.
w0rkrb@reddit
I use autospf
Had the exact same problem so went digging and found this service which kinda flattens all the records, probably not a great explanation but can't think of a better way to put it.
Anyway basically from what I remember from the set-up you put in your domain and it discovers the existing SPF records then imports them and spits out an include for your SPF
UpsetBar@reddit
I used autospf as well at my last job. Dude was great. I’m pretty sure it’s one guy in his bedroom but always replied when I had an issue. The only issue I ever had was with their SSO. The SPF flattening worked great.
southafricanamerican@reddit
Hey……I have a home office :)
Not exactly one guy…. Last count was 22 staff members providing 24x7 support and development for dmarcreport.com AutoSPF.com and a bunch of other products.
Sorry you had sso issues we use workos.com to try make it as smooth as possible. Lmk what went wrong.
southafricanamerican@reddit
Agree on AutoSPF it’s a great automated solution.
Xidium426@reddit
When did I time travel back to 2010?
RNG_HatesMe@reddit (OP)
I know it's been around a while, but it seems to have reached critical mass. I had maybe 1 request for an SPF record last year. I've had 10 or so this year so far!
Xidium426@reddit
Have you guys had a SPF for a while? I thought you were just enabling it at first now.
RNG_HatesMe@reddit (OP)
No, we've had our dmarc setup for a while. It's just that this year every 3rd party service that we work with wants to setup SPF records now
Public_Fucking_Media@reddit
Allow me to suggest something different - stop adding so many fucking approved email senders in the first place, its just more spam you have to manage
RNG_HatesMe@reddit (OP)
Not always an option. The latest request is for managing a web application for a state agency.
awnawkareninah@reddit
Most seem to just need DKIM, I just add a key to DNS for it.
For SPF we use autospf anyway.
Fratm@reddit
This is how we handle it too. 1 Company wanted to have us add them to our already full SPF, but we forced them to do dkim. :)
realdlc@reddit
PowerDmarc.
Lethalspartan76@reddit
SPF flattening? Is that an option or no? how we feel
RNG_HatesMe@reddit (OP)
I just want to say thank you for all the excellent responses. I'm not a mail admin, so DMARC/SPF/DKIM is new to me and I've been trying to figure out why suddenly I've gotten like 10 requests to add SPF/DKIM records after basically getting 1 request in all of 2024.
This really helps me grasp the options and the issues, thank you!
netboy34@reddit
We force subdomains. If it is that important to send as the main domain, it has to be approved by the CIO and president. (Yes it got that bad) even still we had to use valimail to offload the SPF and dkim settings for the services that don’t do explicitly check for their entries.
eraser1320@reddit
IronScales has excellent SPF flattening, and a full hosted DMARC with all the analytics you could want.
BadSausageFactory@reddit
Dmarcly and record flattening
Accomplished_Fly729@reddit
Use subdomains, spf only has a limit for dns lookups, ip addresses are unlimited.
Top-Computer-6663@reddit
We use dmarcly to make one spf record out of many
Vodor1@reddit
I route everything through a smtp service like mailchimp/mandrill, then I don't need a billion SPF or DKIM records.
tankerkiller125real@reddit
Subdomains, with the exception of an email API service we use ourselves for very specific services.
Simmery@reddit
Dkim, dmarc, subdomains, and sometimes saying no. We aren't relying much on spf for anything new.