Why would SPF TXT TXT record not propogate completely through DNS

What is the name of the domain?

inside.nss.org

What is the error number?

N/A

What is the error message?

N/A

What is the issue you’re encountering

Only SPF TXT record is not propogating to all DNS services

What steps have you taken to resolve the issue?

Recreate TXT record. Wait. Check propagation.

What feature, service or problem is this related to?

DNS records

What are the steps to reproduce the issue?

Delete record, recreate. Limited propagation.

The caching behaviour of third party DNS resolvers can be unpredictable. The default negative TTL with Cloudflare is 30 minutes, but I would not rely on that. DNS always needs patience.

Is this the expected value?

% dig +short txt inside.nss.org
"v=spf1 include:amazonses.com ~all"

It looks like it has propagated:

1 Like

Yes, I can dig the record all day but it does not completely propagate. I tried to upload this image before but it wouldn’t take. Your link also shows at least two US DNS services did not update this days-old record. https://dnschecker.org shows more gaps.

It had complete propagation when I checked, but I suspect the results are biased by the observer.

A CNAME cannot coexist with any other record types (except for certain DNSSEC record types). RFC 2181 - Clarifications to the DNS Specification

You will need to create the TXT record at nss.site-ym.com

1 Like

Thank you for the reference. I was assured by some “knowledgeable sources” that we could split the config with SPF for email and CNAME for the web. Grrr.

Since the inside.nss.org is CNAME’d, it’s not possible to create a subdomain of the subdomain, is it? As in mailer.inside.nss.org?

What’s stopping you from creating records with the label mailer.inside.nss.org? You won’t be able to set an MX record at inside.nss.org or delegate a child zone to external nameservers, but nothing should prevent you from creating the label mailer.inside.nss.org inside the current zone.

What’s stopping me is this:

I don’t really understand what’s happening, since our TXT SPF record does seem to coexist (although not reliably) with the CNAME record for inside.nss.org. So can a subdomain also coexist the CNAME for the parent subdomain?

For context: inside.nss.org redirects to an membership management platform, which also sends mail for the organization through AmazonSES. I configured inside.nss.org as as the custom mail-from (envelope from) domain. All this works fine but about 25% of mail fails SPF because of either TempError or ‘no SPF record found.’ This seems to be a result of the SPF record not propagating to some DNS resolvers. Based on the above replies I surmise this is caused by the CNAME record? But why it propagates at all, let alone unreliably, I don’t understand.

My immediate question is: would I be better off configuring the mail-from to be mailer.inside.nss.org or mailer.nss.org?

You are doing something that you are not meant to do, so getting unpredictable results is expected.

DNS propagation is probably a poor phrase (which is of course universally used). The global DNS is not an eventually consistent multi-node database with updates being sent out towards every DNS recursive server on the Internet. The propagation is pull based, and some servers will cache for varying amounts of time, so updates can take some time to become visible as cached records expire.

(Wild guess that makes some sense here.) Recursive servers do not know what records might exist on an authoritative server until they ask for them. If a recursive server has no cached values, and asks for a TXT record, it might get a TXT response. But if it asked for a CNAME first, then it knows that subsequent requests for TXT records at that label should follow the CNAME, and will not go back to the authority for records.

You have several options that I can think of.

  1. Enable Cloudflare Proxy on inside.nss.org, which will hide the CNAME from public view.
  2. Flatten All CNAMES. Can have unintended consequences, especially if you rely on CNAME records being used for external service verification.
  3. Use separate mail-from and website addresses.
  4. Create the TXT record at nss.site-ym.com
1 Like

You should go with [email.inside].nss.org as the RFC5351 From, this way you can use relaxed SPF and DKIM alignment for your DMARC record and your email 5322.from can be @ inside.nss.org or @nss.org. If you go with mailer.nss.org then you can only mail from @nss.org and @mailer.nss.org with relaxed identifiers. Really depends on your intentions.

Either way after you configure test them both with a eMail Tester

Thank you for the detailed response. I’m now testing relying on CF’s proxy of inside.nss.org but will eventually move to a different mail-from/RFC5351 as soon as I coordinate that with others on our team.

Thanks to you and eveyone else here for nudging me in the right direction. Thanks @Topcoder for the campaigncleaner tip to!

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.