i think we covered this briefly during one of the earlier SOLVE when we discussed DMARC. how ha...


Userlevel 3
Badge +1

i think we covered this briefly during one of the earlier SOLVE when we discussed DMARC. how have you guys dealt with getting around SPF lookup limits? is dynamic SPF offering (like that of ondmarc) the way to go? or can you use CNAME and TXT and manage your own?



🗨 Link to Slack thread

47 replies

Userlevel 3
Badge +2

I’d love them to. 

Badge +1

Could they also use the same servers/service from their freshdesk product?



Open Thread in Slack
Userlevel 3
Badge +2

And additionally they could move all their products to their own mail server (and away from sendgrid) to have them use the same IP's across the range.



Open Thread in Slack
Userlevel 3
Badge +1

wedontknowhowtospf.freshservice.com?



Open Thread in Slack
Userlevel 3
Badge +2

Okay soo...here is one additional lookup to get rid off 5aba0fc2870e36c0.gif
Instead of emailus.freshservice.com you may be able to use
Please tell me this is a joke?

image.png?pub_secret=2e23365922

Open Thread in Slack

i think we covered this briefly during one of the earlier SOLVE when we discussed DMARC. how have you guys dealt with getting around SPF lookup limits? is dynamic SPF offering (like that of ondmarc) the way to go? or can you use CNAME and TXT and manage your own?

 


🗨 Link to Slack thread

 

The most important tip must be to deploy SPF, and not Sender ID, if you do that you’ll practically never have any issues with 10 MAX Lookups. On top of that deploying Sender ID is not relevant in regard to DMARC.
SPF is about the returnpath domain, or bounce address, not the visible From: address
 

Userlevel 3
Badge +2

We're switching newsletters to @22d.email



Open Thread in Slack
Userlevel 3
Badge +3

The 10 limit is quite the hassle. That subdomain idea is a good one - but gotta convince the marketing team to not rely on that OR convince other teams that are using the domain to use a subdomain



Open Thread in Slack
Badge

I wish a past company I worked at open sourced the SPF tool they made called 'spify' where we could just drop the domain name in the repo and it would lookup all the IPs on a regular basis and put them in the SPF record. I'm not sure if there is a tool out there that helps determine the latest IPs for your SPF record.



Open Thread in Slack
Badge +1

The other option is to use a subdomain (freshservice.mydomainname.com) because it will have its own SPF record and allow 10 lookups. It avoids manually putting in IP ranges that can potentially change and is still valid, but recipients may be leery of it because it's not the normal @mydomainname.com.



Open Thread in Slack
Badge +1

So the 10 limit applies to DNS lookups; you can have an unlimited number of specified IPs. It doesn't always result in a bounced email, it's dependent on what system is being used to authenticate, but you will see error flags raised when testing the record



Open Thread in Slack
Userlevel 3
Badge +1

supposedly. but hasn't been an issue for me. as far as spf specification goes, it's limited to 10, but i think recipient mail servers can handle more. does come up occasionally for some customers who may be using legacy email systems



Open Thread in Slack
Userlevel 3
Badge +2

If I put in 10 ip's am I at the limit?



Open Thread in Slack
Badge +1

I *just* dealt with this and ended up replacing the include statements with specific IPs. I selected those that had the least IPs but yeah, that 10 limit is a hassle



Open Thread in Slack
Userlevel 3
Badge +1

ha jokes on me.. freshdesk also has same issue. worse at 7!



Open Thread in Slack
Userlevel 3
Badge +1

interesting conversation this morning over on macadmins.

how do you deal with vendors that include too many include statements in SPF lookup? for those that uses google workspace (4), and fresh service (6!), this already puts you at a limit of 10. seems like a poor record management on freshservice's part.

image.png?pub_secret=cd562102a6

Open Thread in Slack
Userlevel 3
Badge +1

@steve mentioned parsedmarc before. i have deployed it as well, but i haven't been monitoring actively
https://seanthegeek.net/459/demystifying-dmarc/

Badge

Are there any open source tools for this? My last company had built a internal tool called 'Spify' to handle this and was so easy but they never open sourced it

Badge +2

They have a SPF Record Flattener at https://dmarcian.com/spf-survey/ available after you do a lookup. I've use them and it worked.

Userlevel 3
Badge +1

does dmarcian offer SPF flattening as well? i think they may be able to get away with manual flattening for now to get rid of few of the include:

Badge +3

I don’t disagree about the price, but when I looked at doing it myself I decided the risk of getting it wrong was greater than the budget hit

Badge +2

Valimail is ridiculously expensive and I think only needed if you are a huge complicated corporation. I would have a look at https://dmarcian.com/ as it provides all the information/tools you need to manage DMARC yourself.

Userlevel 3
Badge +1

didn't agari partner with microsoft? seems like proofpoint is popular here with the big banks in canada

Badge +3

From what I have heard Agari has even higher minimums/cost than Valimail does

Userlevel 3
Badge +1

wonder what the sample was and the associated timeframe. but i should move on

Reply