Excessive A records causing SPF limit to exceed

Our SPF policy is exceeding the 10 record limit. There is only one actual include in the policy, but it starts with ‘v=spf1 a mx’ prior to the include.

We currently only have 1 MX record, but have 9 A records. Reducing the number of A records is the only way we’re going to get under the 10 record limit. These have been setup piecemeal over time by different admins and I’m just not certain how many of these are really necessary. As I understand it, ‘mail’, ‘webdisk’ and ‘webmail’ are default records.

Here are the relevant portions of the record screen:

Any advice on optimizing this set of records?

May I ask where from do you get this warning or error message? :thinking:

Nevertheless, is your zone active at Cloudflare and using the correct assigned Cloudflare nameservers for your Cloudflare account?

@fritex Thanks for replying.

The error message is shown at the top of the Cloudflare Records page as soon as I try to add an additional include to the SPF property:

The zone is active at Cloudflare, and has several CNAME records that are all working as intended (if that’s what you mean?). I am happy to supply w full list of the obfuscated CNAME records if that 's helpful.

All of this is an effort to support the new email authentication rules that Google is putting in place next month. We have several services that send emails on our behalf and are trying to get them all included in the SPF rules.

It’s not a ten record limit. It’s a ten query limit.

Run your domain through the dmarcian SPF Surveyor to get a better understanding of what that means.

2 Likes

The a in an SPF record doesn’t mean “all the A records in the zone”, it means the A record for the root domain (which you haven’t shown in the screenshot). The only reason you would need it in your SPF record is if that IP address is sending email for your domain. If you’re using the Cloudflare proxy/CDN, this will never be the case.

The only reason you need mx in your SPF record is if your MX server, which is incoming email, is also sending email for your domain. Your MX record is pointing to Google, so I don’t think this is the case either.

If you’re using an outside email service (that is, not running on your own server) then you only need whatever entries your email provider specifies. You can, almost certainly, remove the a mx ptr from that SPF record completely.

If you’re running your own mail server, replace that with the specific IP addresses of that mail server (it may have an IPv4 address and an IPv6 address, and you need both).

If you are using Google to send email then you need to add their include to your SPF along with the other service.

3 Likes

@epic.network @i40west

Thank you very much for clarifying the query vs record limit and which a records are actually being
used. Also for the surveyor tool! Using it, I see there are only 4 queries really happening.

@i40west I appreciate your insight and advice. That all makes good sense. FYI here is the full record:

I’m just now getting eyes on this to address some email authentication issues. This has been added onto for years by different admins, but unused records haven’t been cleared out. There’s an old host in here (Bluehost vs current WPEngine), an old email syndication service (Mailchimp vs current ActiveCampaign). A cautionary tale for bad admin hygiene :face_with_peeking_eye: though I’m sure many have seen worse.

1 Like

Okay, you do not need a mx ptr in your SPF record.

You have a mail hostname with smtp aliased to it, so it looks like you are sending email through your own server. If that’s still the case, you need that 35.237.x.x address in there.

Replace a mx ptr with ip4:35.237.x.x. Then, you have one “include” entry for an outside provider, which you should keep (unless you’re not using that provider anymore). And, any other outside provider should have its own “include” clause added according to their instructions. In particular, if you use Google to send email for your domain you must include their information.

2 Likes

@i40west Thank you very much! I appreciate your help.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.