Alert "Having multiple SPF records is invalid. Review duplicates." is incorrect

In our domain, agileresponse.com, we’re alerted by the DNS ui that our SPF records are invalid, because:

Having multiple SPF records is invalid. Review duplicates.

But this is incorrect. We have two SPF records, but they are for different resource names, one for the domain apex, and one for a specific name, [email protected]. As these are two different resources names, they are not duplicated.

Mike.

2 Likes

Also in the apex domain? An SPF record applies to the entire hostname (the part after the @).

Well, an SPF record will by receivers be checked given the SMTP FROM in an email. This is different from the BODY FROM (what email clients show). It is this way to allow senders to partition or segment their senders, having f.ex. marketing on one subdomain (still the same BODY FROM, so receivers will see the sender they should), and other departments or functions elsewhere.

We use this in agileresponse.com to segment out our AWS emailer like this:

agileresponse.com TXT "v=spf1 ..."
awsses-mail.agileresponse.com TXT "v=spf1 ..."

And then emails sent from our mail system (Office 365) are sent like this:

SMTP From: [email protected]
BODY From: [email protected]

And from our mail gateway (for services):

SMTP From: [email protected]
BODY From: [email protected]

So I disagree with your statement:

An SPF record applies to the entire hostname (the part after the @).

… as to my knowledge, SPF checks are done for exactly the hostname the email comes from (SMTP FROM), and therefore the two records we have are not duplicates.

In my opinion, this alert should be changed to only alert if there a duplicate SPF records, for the same domain names.

This should alert:

a.b.com TXT "v=spf1 ...."
a.b.com TXT "v=spf1 ...."

This should not (this is what we have today):

a.b.com TXT "v=spf1 ...."
b.com TXT "v=spf1 ...."
1 Like

This is perfectly ok. Are you saying you’re getting an alert for this? I’m able to add it to a domain that already has a TXT record for the apex domain’s SPF.

This is correct as per RFC 7208

Each SPF record is placed in the DNS tree at the owner name it pertains to, not in a subdomain under the owner name.

I see the same alert:

Clicking the Review button bring up:

Is @hannes the right person to flag?

2 Likes

Yes. I am seeing the alert.

The two records

The alert (which dissapears when I search for records, so it had to be two pictures).

1 Like

Agreed. That alert is not accurate since it’s not taking unique hostnames into consideration.

I’m going to escalate this to Support and hopefully they can fix that alert in case Michael’s tag to Hannes doesn’t go through.

3 Likes