←back to thread

Understanding SPF, DKIM, and DMARC: A Simple Guide

(github.com)
443 points miles | 4 comments | 17 Jun 24 17:35 UTC | HN request time: 1.166s | source
Show context
velcrovan ◴[17 Jun 24 20:48 UTC] No.40710875[source]
I manage IT at a mid-size business. At least once a month, I get asked to release some incoming email from quarantine that got sent there because the sender's SPF record is wrong or outdated and doesn't include all the email services they actually use. (What this really tells me is how many small businesses are out there running with no in-house IT expertise or support of any kind.)

I don't do whitelisting. Instead, I always reach out and offer to help the other party correct their SPF record.

It happens often enough that I wrote a script in Racket that will generate the email for me and paste it into the clipboard [1]. The email tells them exactly what they need to change, and links to docs from their current email provider (so they don't have to trust me about edits to their DNS).

[1]: https://gist.github.com/otherjoel/6b8bf02f6db6e0c47ba6bca72e...

replies(13): >>40710906 #>>40711407 #>>40711533 #>>40712450 #>>40712783 #>>40713178 #>>40714393 #>>40714418 #>>40715408 #>>40715983 #>>40716281 #>>40716467 #>>40716996 #
1. EnigmaFlare ◴[18 Jun 24 01:30 UTC] No.40713178[source]
I was on the receiving end of an automated version of this. However, when I looked into it, it seemed the problem (SPF record required more than 10 DNS lookups) was fairly common. I don't seem to have any other deliverability problems and my email and DNS is managed by some big hosting company so I assume it's not a real problem and didn't fix it.
replies(1): >>40713477 #
2. brightball ◴[18 Jun 24 02:21 UTC] No.40713477[source]
It’s a real problem. The solution is just to isolate each service on its own subdomain. The only thing that should be listed in your top level SPF record is the corporate email for the domain.
replies(1): >>40722628 #
3. EnigmaFlare ◴[18 Jun 24 22:10 UTC] No.40722628[source]
The trouble is, it's full of stuff I don't understand because I'm not managing it, such as: include:_spf.qualtrics.com include:_spf.salesforce.com include:sparkpostmail.com include:spf.mailjet.com include:spf.protection.outlook.com include:_spf.myorderbox.com include:eig.spf .a.cloudfilter.net include:spf.websitewelcome.com
replies(1): >>40766927 #
4. brightball ◴[23 Jun 24 12:24 UTC] No.40766927{3}[source]
Yep, each one of those should be isolated to their own subdomain rather than being in the top level SPF record. Should have 8 total SPF records including the top level.

Easiest thing to do is to start by moving just 1 include to its own subdomain.