DNS Tech Support Training Courses DNSSEC Consulting DNS Analysis System Audit Customer Portal
The DNS Institute
Documentation Implementations Research DNS History Free DNS Tools

SPF Record Problems (2022-05)

In addition to our dangling SPF targets research, we also analyzed SPF records for around 21 types of problems. This article is a summary of this research from a sample of 50,000 popular domains and domains owned by Fortune 500 companies with miscellaneous problem examples. After following SPF includes and redirects we analyzed 55551 TXT records that appeared to be SPF records (from 70798 domains). The software detected over 3600 problems. Around 4.2% of these domains with SPF records had SPF problems. (A small sample with explanations is shared below.)

SPF records, as defined in RFC 7208 for the Sender Policy Framework for authorizing use of domains in emails, provide a simple way for administrators to define the networks or specific hosts that are allowed to send emails using their domain(s). (We also have tests for the deprecated RFC 4408 SPF records, RRTYPE #99, but we didn't check for them for all these domains in this research and are not included in this summary.)

Receiving email servers can use the SPF rules found in DNS TXT records to consider the policies. There are multiple software implementations for SPF parsing and policy decisions. How receiving mail servers honor the SPF depends on what and how they are used. Many mail servers don't even use SPF.

1233 — SPF record must be a single record

The SPF policy data is provided in a TXT record. By RFC requirements, only one TXT record should contain the SPF policies. A software implementation could fail altogether for that domain, use both (or all), or use none, for example.

scribd.com.             3600    IN      TXT     "v=spf1
include:_spf.google.com include:servers.mcsv.net include:mail.zendesk.com
include:mailgun.org include:spf.tipalti.com include:m.lessonly.com

scribd.com.             3600    IN      TXT     "v=spf2.0/mfrom
v=spf1 include:_spf.google.com include:servers.mcsv.net
include:mail.zendesk.com include:mailgun.org include:spf.tipalti.com
include:m.lessonly.com ~all"

(Well, that second one isn't even SPF but still has "v=spf1" intent in it; and the obsolete Sender ID also shouldn't begin with "v=".)

huffingtonpost.com.     86400   IN      TXT     "v=spf1
include:_ipspf.yahoo.com -all"

huffingtonpost.com.     86400   IN      TXT     "v=spf1 mx
include:_spf.createsend.com include:aspmx.sailthru.com
include:_spf.google.com include:amazonses.com ip4:
ip4: ip4: ip4:
ip4: ip4: ~all"

810 — it is recommended to not use ptr mechanism

The "ptr" mechanism is used for checking IP address mapping back to a domain name, aka reverse DNS. For over 15 years, this feature was recommended as not as reliable as other checks and for over 8 years, it was documented that it should not be used.

baidu.com.              7199    IN      TXT     "v=spf1
include:spf1.baidu.com include:spf2.baidu.com include:spf3.baidu.com
include:spf4.baidu.com a mx ptr -all"

463 — Unknown modifier

The SPF rules are made up of various keys delimited from their values with colons (mechanisms) or equal signs (modifiers). In all cases, the unknown modifier keys were caused by configuration mistakes or typos, such as missing or adding a space or merging another TXT record content into a single TXT record.

tencent.com.            7200    IN      TXT     "v=spf1
include:spf.mail.tencent.com include:spf.mail.qq.com -all
(A non-SPF key=value is included in this SPF.)

gamespot.com.           86400   IN      TXT
v=spf1 mx ip4: ip4: ip4:
ip4: ip4: ip4:
ip4: include:sendgrid.net  -allv=spf1 mx
include:spf.protection.outlook.com ~all"

gamespot.com.           86400   IN      TXT
(Data is merged breaking both of these, likely non SPF for this domain.)

459 — Unknown mechanism

The unknown mechanisms are almost all caused by adding a space before rule values or by having rule values without the corresponding key. Many are also caused by other garbage included in a the SPF. A common problem is a pasted-in value that accidently chopped a key or rrdata separating it with a space.

autohome.com.cn.        600     IN      TXT     "v=spf1 mx
ip4: ip 4: ip4: ip4:
ip:  include:  autohome.com.cn -all"
(Oops, used "ip" instead of "ip4".)

cmu.edu.                3599    IN      TXT     "[NRDR
31504_IN_TXT_v=spf1.include:_spf.cmu.edu.~all jxEj2x9CC1Gu8ePZldY84w]"

cmu.edu.                3599    IN      TXT     "v=spf1
include:_spf.cmu.edu ~al l"
(Well this one is not technically broken, but our SPF checker did see that first record is junk.)

305 — SPF record must begin with v=spf1 followed by space or only contain v=spf1

Per the requirements, SPF records are defined a specific way. We found many other TXT records that were likely meant to be SPF policy rules, but are probably not used by any receiving mail server.

jeep.com.               3600    IN      TXT     "v=spf1 ip4:"

jeep.com.               3600    IN      TXT
(Again, not technically a failure because the second record is garbage.)

dpreview.com.           300     IN      TXT     "spf2.0/pra
include:amazon.com -all" "v=spf1 include:amazon.com -all"
(Probably not what they intended — two records merged to a single non-SPF record.)

aa.org.                 3600    IN      TXT     "\"v=spf1
include:spf.protection.outlook.com ip4: ip4:
ip4: ip4: ip4: include:md02.com
include:app.aventri.com -all\""
(Oops, put quotes around the entire SPF record; what will the various SPF parsers do?)

93 — escaped quotes are not allowed

SPF data is entered into DNS using various methods. It appears some DNS entry software allows or does extra quoting which is not covered by the RFC specification.

inquirer.net.           300     IN      TXT
(Multiple TXT records merged to a single record plus some escaped quotes also seen in it.)

bumppy.com.             300     IN      TXT     "v=spf1 include:zcsend.net
(Trailing quote.)

debate.com.mx.          60      IN      TXT     "debate.com.mx.
IN TXT \"v=spf1 mx a ip4: -all\""
(Oops, a master zone format TXT record got embedded into a TXT record.)

(See previous example too.)

73 — The value is not an IP address

Some mechanisms define an IPv4 or IPv6 address or network, but the operator or server-side software entered a non-IP value there.

zaobao.com.             60      IN      TXT
"sqtj6sq8im6ja91h0m0gpp85m1" "v=spf1 include: ip4:10/8 ip4:192.168/16
ip4:172.16/12 ip4: ip4: ip4:
ip4: ~all"
(While technically not a problem because junk at start of rrdata made it not an SPF record, the problem was with the 10/8, 192.168/16, and 172.16/12 networks as the RFC defines the IPv4 network starting with a dot-delimited IP address.)

natlawreview.com.       300     IN      TXT     "v=spf1
ip4:outbounds9.obsmtp.com ~all"
(This domain also has multiple SPF TXT records failure so maybe this bogus ip4 value won't be even seen. The normal way to get an IP from a domain name is to use the "a" mechanism.)

47 — missing IP address

Like above, an IP address is missing where the SPF record specifically has a mechanism key for it. If there is an IP address outside of the mechanism key, then that IP would be detected as an unknown mechanism too.

mockplus.cn.            600     IN      TXT     "v=spf1 a mx
ip4: -all"
(Literal space between the "ip4:" mechanism and its value.)

myblog.de.              28800   IN      TXT     "v=spf1 mx
a:mail.myblog.de ip4:
ip6: 2a02:c207:3004:1232:0000:0000:0000:00011b:eff:fecd:c739 -all "
(Again, but for "ip6:" mechanism.)

41 — The value is not a domain name

Other mechanisms or modifiers use a domain name as the value (which may be looked up), but the operator or server-side software entered a non-domain name there.

alphacoders.com.        300     IN      TXT     "v=spf1
include:u3333260.wl011.sendgrid.net include: -all
include:icloud.com ~all"
(The "include" mechanism needs a domain name to recurse to its TXT SPF record.)

32 — missing domain name value

Again, like the previous, a domain name is missing where the SPF record specifically has a modifier or mechanism indicating it.

bouncex.net.            300     IN      TXT     "v=spf1
include: _spf.google.com ~all"
(Literal space after the "include:" mechanism.)

29 — CIDR should be a number

In the cases, where a IP address appears to define a IP network, the CIDR number is missing.

zdnet.com.              300     IN      TXT     "v=spf1 mx
ip4: ip4: ip4:
ip4: ip4: ip4:
ip4: ip4:
include:spf-00262c01.pphosted.com include:spf.protection.outlook.com
(The "include" mechanism got merged into a /23 CIDR.)

statnews.com.           300     IN      TXT     "v=spf1 a mx
include:spf-00504401.pphosted.com ip4:
ip4:\013\010ip4: ip4:
ip4:\013\010ip4: ip4:
ip4:\013\010include:_spf.google.com ?all"
(ASCII carriage return and newline got encoded into the rrdata, merged with the CIDRs.)

blr.com.                300     IN      TXT     "v=spf1
include:amazonses.com include:mailgun.org include:_netblocks.mimecast.com
include:us-spf.email.litmos.com ip4: ip4:
ip4: ip4: ip4:
ip4:; ip4:; ip4:
(Semicolons aren't separators in SPF.)

25 — This is not a valid domain name

Some domain names look like garbage or are not a domain name.

inner-active.mobi.      3600    IN      TXT     "v=spf1 mx mx:a
include:secureserver.net  ip4: -all"
(Unsure what the "a" was meant for the domain name; maybe meant to have an "a" mechanism.)

votesmart.org.          1       IN      TXT     "v=spf1
a:secure.votesmart.org a:app0.votesmart.org ip4:
include:v=spf1 include:_spf.google.com ~all include:v=spf1
include:sendgrid.net ~all ~all"
("v=spf1" used as a domain name twice!)

14 — Use colon : not equal = for mechanism

SPF mechanisms delimit key from value using a colon.

discord.io.             300     IN      TXT     "v=spf1 ip4=
include:discord.io -all"
("ip4" mechanism has wrong delimiter.)

10 — The domain name does not appear to have a valid TLD

Again, the domain name is not a domain name.

eversource.com.         3600    IN      TXT     "v=spf1 mx
include:_spf.kubra.com include:spf.mandrillapp.com
include:u248959.wl210.sendgrid.net include:spf-0018e401.pphosted.com
include:spf.protection.outlook.com include:mktomail.com
include:mail.zendesk.com\" \" ip4: ip4:
ip4: ip4: ip4: ip4:
ip4: ip4: ip4: -all"
(Simply caused by an escape quote; what will the receiving SPF implementation do?)

feed-xml.com.           300     IN      TXT     ""v=spf1 redirect=_spf.mailhostbox.com""
(Something attempted to enter errant quotes, those got converted to HTML Entities and the checker saw that garbage with a few different checks.)

2 — Use equal = not colon : for modifier

SPF modifiers delimit key from value using an equal sign.

truxgo.net.             38400   IN      TXT     "v=spf1
+ip4: +redirect:_spf.mailhostbox.com"
("redirect" modifier has wrong delimiter.)

1 — Qualifiers are not used with modifiers

Qualifiers (like [-+~?]) are only used with SPF mechanisms.

truxgo.net.             38400   IN      TXT     "v=spf1
+ip4: +redirect:_spf.mailhostbox.com"
("redirect" modifier doesn't use a "+" qualifier.)

So over a couple thousand identified SPF problems detected out of around 55 thousand domains. Our other SPF study found many other security problems related to these same SPF records including around 80 bad DNS names used for policy decisions.

DNS Institute's DNS auditing service checks for over 125 requirements or best practices, including for DNSSEC, EDNS, and IPv6, as defined by DNS vendors, IETF/RFCs, governments, and DNS registries.

Contact Us | About | Site Map |  Gab |  Twitter