SPF Record Length

SPF (Sender Policy Framework A DNS-based technology that allows a domain owner to specify a limited set of IP addresses that email for that domain may be sent from. The domain authenticated by SPF is not the “header From” domain visible in most email clients. SPF authenticates the envelope domain, also called the MailFrom domain, described in RFC 5321. This domain typically appears in the “Return-Path:” message header. Sender Policy Framework (SPF) is specified in RFC-7208 (https://tools.ietf.org/html/rfc7208). See also: http://www.openspf.org/) is a DNS (Domain Name System) record, and the DNS specification limits DNS record strings to 255 characters. However, some environments are too complicated to fit into a 255 character string. You can create SPF records larger that 255 characters because the specification that defines SPF also states that DNS records can have multiple strings. See RFC 4408 for the technical details.

Specifically:

As defined in [RFC 1035] sections 3.3.14 and 3.3, a single text DNS record (either TXT or SPF RR types) can be composed of more than one string. If a published record contains multiple strings, then the record MUST be treated as if those strings are concatenated together without adding spaces. For example:

IN TXT "v=spf1 .... first" "second string..."

MUST be treated as equivalent to

IN TXT "v=spf1 .... firstsecond string..."

If you attempt to create an SPF or TXT record with a single string greater than 255 characters, BIND, the DNS software, will generate an error, such as "Invalid rdata format: ran out of space."

Additional Notes

Any DNS response that exceeds 512 bytes is slightly undesirable, because in the absence of EDNS0 (which the vast majority of—but not all—implementations honor these days), responses that exceed 512 bytes, the limit of a UDP packet, will signal truncation and prompt a retry via TCP. It is optimal to stay within a total of 512 bytes if possible.
The RDATA itself, which is comprised of both the length-bytes and payloads of all strings contained therein, may not exceed 65535 bytes in total. That 64K limit is a general restriction on DNS records of all types, not specific to TXT records.

Examples

Here is an example of a single SPF record with 2 separate text strings:

"v=spf1 ip4:156.77.0.0/16 ip4:63.88.61.0/24 ip4:216.30.177.0/24 ip4:74.86.131.74 ip4:63.76.9.0/24 ip4:63.251.90.0/24 ip4:69.25.31.0/24 ip4:216.74.162.0/24 ip4:216.197.69.0/24 ip4:66.35.231.0/24 ip4:204.3.170.225/32 ip4:64.94.179.244/30 ip4:64.94.179.217 ip4:212.118.254.242/31 ip4:208.86.144.242 ip4:204.90.130.118 ip4:204.90.130.121" " ip4:192.33.34.0/24 ip4:205.211.178.40/30 ip4:149.235.225.40/30 ip4:67.231.144.228 ip4:67.231.152.222 ip4:216.119.217.33 ip4:216.119.209.33 include:thirdparty.net -all"

Here is an example of a separate record for some of your traffic, useful for when your domain does not have many DNS lookups:

_spf.mydomain.com TXT v=spf1 ip4:156.77.0.0/16 ip4:63.88.61.0/24 ip4:216.30.177.0/24 ip4:74.86.131.74 ip4:63.76.9.0/24 ip4:63.251.90.0/24 ip4:69.25.31.0/24 ip4:216.74.162.0/24 ip4:216.197.69.0/24 ip4:66.35.231.0/24 ip4:204.3.170.225/32 ip4:64.94.179.244/30 ip4:64.94.179.217 -all

mydomain.com TXT v=spf1 ip4:212.118.254.242/31 ip4:208.86.144.242 ip4:204.90.130.118 ip4:204.90.130.121 ip4:192.33.34.0/24 ip4:205.211.178.40/30 ip4:149.235.225.40/30 ip4:67.231.144.228 ip4:67.231.152.222 ip4:216.119.217.33 ip4:216.119.209.33 include:thirdparty.net -all

Copyright © Fortra, LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.
202411200823 | November 2024