SPF IP addresses limit question

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

SPF IP addresses limit question

Mohamed Lrhazi
Hello all,

Sorry for a non-postfix specific question.

I am running into an issue with a big SPF record I had been maintaining. I went ahead a broke it up using the include: mechanism, but am still trying to figure out the limit I did hit.

For testing purposes, I send emails from this [hidden email] to gmail, yahoo.com, and outlook.com

The SPF record for that domain is made up of 255 ip4 addresses, the last of which is my true client IP. Please check it out with dig.

gmail and yahoo fail the SPF test. outlook passes.

Using [hidden email], gmail also passes. The SPF for this domain has 101 addresses.

Using [hidden email], yahoo also passes.

So am concluding these vendors have these limits for the number of IPs in a single SPF record... would that be correct conclusion? anyone knows if this is documented by these vendors? 

I opened a case with Google and so far they have been insisting there is no such limit!

Thank you so much.
Mohamed.


Reply | Threaded
Open this post in threaded view
|

Re: SPF IP addresses limit question

Scott Kitterman-4
On Sunday, February 23, 2020 2:53:28 PM EST Mohamed Lrhazi wrote:

> Hello all,
>
> Sorry for a non-postfix specific question.
>
> I am running into an issue with a big SPF record I had been maintaining. I
> went ahead a broke it up using the include: mechanism, but am still trying
> to figure out the limit I did hit.
>
> For testing purposes, I send emails from this [hidden email]
> to gmail, yahoo.com, and outlook.com
>
> The SPF record for that domain is made up of 255 ip4 addresses, the last of
> which is my true client IP. Please check it out with dig.
>
> gmail and yahoo fail the SPF test. outlook passes.
>
> Using [hidden email], gmail also passes. The SPF for this
> domain has 101 addresses.
>
> Using [hidden email], yahoo also passes.
>
> So am concluding these vendors have these limits for the number of IPs in a
> single SPF record... would that be correct conclusion? anyone knows if this
> is documented by these vendors?
>
> I opened a case with Google and so far they have been insisting there is no
> such limit!

There is no hard limit.  See RFC 7208 Section 3.4.

Scott K


Reply | Threaded
Open this post in threaded view
|

Re: SPF IP addresses limit question

Benny Pedersen-2
In reply to this post by Mohamed Lrhazi
Mohamed Lrhazi skrev den 2020-02-23 20:53:

> Using [hidden email], gmail also passes. The SPF for
> this domain has 101 addresses.

https://dmarcian.com/spf-survey/?domain=spf.255.cuaemail.org

see Record flattening
Reply | Threaded
Open this post in threaded view
|

Re: SPF IP addresses limit question

Benny Pedersen-2
In reply to this post by Scott Kitterman-4
Scott Kitterman skrev den 2020-02-23 21:03:

> There is no hard limit.  See RFC 7208 Section 3.4.

sadly :(

even ip4:0.0.0.0/0 is valid

could pypolicyd-spf break rfc so only domains under 255 ipv4 is valid
results ?, imho its insane that its supported unlimited
Reply | Threaded
Open this post in threaded view
|

Re: SPF IP addresses limit question

Scott Kitterman-4
On Sunday, February 23, 2020 3:26:07 PM EST Benny Pedersen wrote:
> Scott Kitterman skrev den 2020-02-23 21:03:
> > There is no hard limit.  See RFC 7208 Section 3.4.
>
> sadly :(
>
> even ip4:0.0.0.0/0 is valid
>
> could pypolicyd-spf break rfc so only domains under 255 ipv4 is valid
> results ?, imho its insane that its supported unlimited

It is what it is, so no.  People ignore Section 3.4 at their own peril
(although EDNS0 is better supported, so it's possibly too strict for 2020).  I
think it's a self-limiting problem.

Also, pypolicyd-spf was renamed spf-engine when I added a milter interface
option for it, so please switch to that.  No more updates to the old
pypolicyd-spf code.

Scott K


Reply | Threaded
Open this post in threaded view
|

Re: SPF IP addresses limit question

Mohamed Lrhazi
In reply to this post by Benny Pedersen-2


On Sun, Feb 23, 2020 at 3:23 PM Benny
record flattening is the process of replacing include, and other lookup generating mechanisms, with their resulting ip addresses. 
My question is how many IPs can one put in a single spf record? 

It appears the RFC does not touch on this, so I guess it’s left to the implementors to decide, and from my limited tests it seems to vary a lot. 

Thanks a lot. 
Mohamed. 

Reply | Threaded
Open this post in threaded view
|

Re: SPF IP addresses limit question

Scott Kitterman-4
On Sunday, February 23, 2020 6:44:34 PM EST Mohamed Lrhazi wrote:

> On Sun, Feb 23, 2020 at 3:23 PM Benny
>
> > https://dmarcian.com/spf-survey/?domain=spf.255.cuaemail.org
> >
> > see Record flattening
>
> record flattening is the process of replacing include, and other lookup
> generating mechanisms, with their resulting ip addresses.
> My question is how many IPs can one put in a single spf record?
>
> It appears the RFC does not touch on this, so I guess it’s left to the
> implementors to decide, and from my limited tests it seems to vary a lot.

The limits are a function of DNS, not SPF, which is why RFC 7208 Section 3.4.
 was written.

Scott K


Reply | Threaded
Open this post in threaded view
|

Re: [External] Re: SPF IP addresses limit question

Kevin A. McGrail
On 2/23/2020 7:08 PM, Scott Kitterman wrote:
> The limits are a function of DNS, not SPF, which is why RFC 7208 Section 3.4.
>  was written.

I would there is also a somewhat arbitrary limit that was picked that
doesn't t match the real world.  See
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7182 for why we
raised from 10 to 15 to 20 lookups on the Apache SpamAssassin project.

Regards,

KAM

Reply | Threaded
Open this post in threaded view
|

Re: SPF IP addresses limit question

Viktor Dukhovni
In reply to this post by Mohamed Lrhazi
On Sun, Feb 23, 2020 at 06:44:34PM -0500, Mohamed Lrhazi wrote:

> record flattening is the process of replacing include, and other lookup
> generating mechanisms, with their resulting ip addresses.
> My question is how many IPs can one put in a single spf record?
>
> It appears the RFC does not touch on this, so I guess it’s left to the
> implementors to decide, and from my limited tests it seems to vary a lot.

The most recent BCP recommendation for UDP DNS buffer size selection is
1232 bytes.  Therefore your TXT record along with any other DNS overhead
(including any DNSSEC signatures if your domain is signed) should fit
into at most 1232 bytes.  You can test with:

    dig +norecur +dnssec +novc -t txt example.com @ns1.example.com

(where ns1.example.com is replaced by a suitable authoritative
server for the domain), and see how big the response is.

Some resolvers may limit DNS resposes further, and responses of 512
bytes or less are sure to be sufficiently small.

FWIW, google seems to have comparatively small SPF text records, and
even advertises 512 bytes as the EDNS buffer size, but google.com is
unsigned, so the small UDP limit becomes more practical.

    $ dig +norecur +dnssec +novc -t txt _netblocks.google.com @ns1.google.com
    ...
    _netblocks.google.com.  3600    IN      TXT     "v=spf1 ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all"
    ...
    ;; MSG SIZE  rcvd: 286

    $ dig +norecur +dnssec +novc -t txt _netblocks2.google.com @ns1.google.com
    ...
    _netblocks2.google.com. 3600    IN      TXT     "v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all"
    ...
    ;; MSG SIZE  rcvd: 218

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: SPF IP addresses limit question

Mohamed Lrhazi
Thanks all,

My question still was: Suppose I comply with all the recommendations and best practices in composing my SPF records... Do I still need to worry about the number of IP addresses (v4/v6/ciders) that I put in each record?

I guess if I could really stick with sub 512 bytes records, I could not put more than 20ish ip4 mechanisms and even less if including ip6 ones. And using includes I could not have more than 10 of such records.


On Sun, Feb 23, 2020 at 7:54 PM Viktor Dukhovni <[hidden email]> wrote:
On Sun, Feb 23, 2020 at 06:44:34PM -0500, Mohamed Lrhazi wrote:

> record flattening is the process of replacing include, and other lookup
> generating mechanisms, with their resulting ip addresses.
> My question is how many IPs can one put in a single spf record?
>
> It appears the RFC does not touch on this, so I guess it’s left to the
> implementors to decide, and from my limited tests it seems to vary a lot.

The most recent BCP recommendation for UDP DNS buffer size selection is
1232 bytes.  Therefore your TXT record along with any other DNS overhead
(including any DNSSEC signatures if your domain is signed) should fit
into at most 1232 bytes.  You can test with:

    dig +norecur +dnssec +novc -t txt example.com @ns1.example.com

(where ns1.example.com is replaced by a suitable authoritative
server for the domain), and see how big the response is.

Some resolvers may limit DNS resposes further, and responses of 512
bytes or less are sure to be sufficiently small.

FWIW, google seems to have comparatively small SPF text records, and
even advertises 512 bytes as the EDNS buffer size, but google.com is
unsigned, so the small UDP limit becomes more practical.

    $ dig +norecur +dnssec +novc -t txt _netblocks.google.com @ns1.google.com
    ...
    _netblocks.google.com.  3600    IN      TXT     "v=spf1 ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all"
    ...
    ;; MSG SIZE  rcvd: 286

    $ dig +norecur +dnssec +novc -t txt _netblocks2.google.com @ns1.google.com
    ...
    _netblocks2.google.com. 3600    IN      TXT     "v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all"
    ...
    ;; MSG SIZE  rcvd: 218

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: SPF IP addresses limit question

Scott Kitterman-4


On February 24, 2020 4:30:37 AM UTC, Mohamed Lrhazi <[hidden email]> wrote:

>Thanks all,
>
>My question still was: Suppose I comply with all the recommendations
>and
>best practices in composing my SPF records... Do I still need to worry
>about the number of IP addresses (v4/v6/ciders) that I put in each
>record?
>
>I guess if I could really stick with sub 512 bytes records, I could not
>put
>more than 20ish ip4 mechanisms and even less if including ip6 ones. And
>using includes I could not have more than 10 of such records.

I think if Google can manage to describe their outgoing mail architecture within those limits, most everyone else can too.  In the cases I've investigated where providers weren't it's always been a matter of poor record maintenance, not inherent limits being a problem.

That said, the spf-discuss mailing list is probably a better place to argue details of SPF protocol design.

Scott K
Reply | Threaded
Open this post in threaded view
|

Re: [External] Re: SPF IP addresses limit question

Kevin A. McGrail
In reply to this post by Mohamed Lrhazi
On 2/23/2020 11:30 PM, Mohamed Lrhazi wrote:
>
> My question still was: Suppose I comply with all the
> recommendations and best practices in composing my SPF records... Do I
> still need to worry about the number of IP addresses (v4/v6/ciders)
> that I put in each record?

Yes. In the anti-spam world, we analyze SPF records for indicators that
they are overly broad and non-specific as an indicator of a lack of
postmaster hygiene.  And if your SPF is poorly done and others can spoof
your domain by having adjacent IPs, that's bad too!  Make your SPF
record as accurate and minimal as you can for the best results.

Regards,

KAM