How long can my SPF record be?

When creating a SPF record you are limited to a 255 character string. If you attempt to create a SPF or TXT record with a longer string (>255 Characters), BIND will give an error (e.g. "Invalid rdata format: ran out of space".). Some environments are too complicated to fit into a 255 character string. You run into needing a longer record. Luckily, RFC 4408 states a TXT or SPF record is allowed to contain multiple strings, which should be concatenated together by the application that is reading it. Here is an example from the RFC:

Multiple Strings in a Single DNS record



As defined in [RFC1035] sections 3.3.14 and 3.3, a single text DNS
record (either TXT or SPF RR types) can be composed of more than one
string. If a published record contains multiple strings, then the
record MUST be treated as if those strings are concatenated together
without adding spaces. For example:

IN TXT "v=spf1 .... first" "second string..."

MUST be treated as equivalent to

IN TXT "v=spf1 .... firstsecond string..."

SPF or TXT records containing multiple strings are useful in
constructing records that would exceed the 255-byte maximum length of
a string within a single TXT or SPF RR record.

 

Additional Info:

You may have multiple "strings" in a single TXT record. Each "string"
may be up to 255 characters in length, with a "length byte" indicating
the size of the "string"'s payload. I don't believe there is any
arbitrary limitation on the number of "string"s in a TXT record, but the
RDATA itself may not exceed 65535 bytes in total, which is comprised of
both the length-bytes and payloads of all "string"s contained therein.
That 64K limit is a general restriction on DNS records of all types, not
specific to TXT records.

Note that any DNS response which exceeds 512 bytes is slightly
undesirable, since in the absence of EDNS0 (which the vast majority of
-- but not all -- implementations honor these days), responses which
exceed 512 bytes will signal truncation and prompt a retry via TCP. It's
optimal to stay within 512 bytes if possible.

To recap, the limit to a TXT string is 255

the limit to a UDP packet is 512

the limit to total of TXT data for a given record is 65535.

Here is a good explanation on how to optimize an SPF record (they use the term "compress", which is not right IMHO!). http://www.gossamer-threads.com/lists/spf/discuss/3340

An example of an SPF record split it into 2 separate entries as such:

"v=spf1 ip4:156.77.0.0/16 ip4:63.88.61.0/24 ip4:216.30.177.0/24 ip4:74.86.131.74 ip4:63.76.9.0/24 ip4:63.251.90.0/24 ip4:69.25.31.0/24 ip4:216.74.162.0/24 ip4:216.197.69.0/24 ip4:66.35.231.0/24 ip4:204.3.170.225/32 ip4:64.94.179.244/30 ip4:64.94.179.217 ip4:212.118.254.242/31 ip4:208.86.144.242 ip4:204.90.130.118 ip4:204.90.130.121"
" ip4:192.33.34.0/24 ip4:205.211.178.40/30 ip4:149.235.225.40/30 ip4:67.231.144.228 ip4:67.231.152.222 ip4:216.119.217.33 ip4:216.119.209.33 include:thirdparty.net -all"

 

Another option, if you don't have many DNS lookups today, is to create a separate record for some of your traffic and include that record in this one:

_spf.mydomain.com TXT v=spf1 ip4:156.77.0.0/16 ip4:63.88.61.0/24 ip4:216.30.177.0/24 ip4:74.86.131.74 ip4:63.76.9.0/24 ip4:63.251.90.0/24 ip4:69.25.31.0/24 ip4:216.74.162.0/24 ip4:216.197.69.0/24 ip4:66.35.231.0/24 ip4:204.3.170.225/32 ip4:64.94.179.244/30 ip4:64.94.179.217 -all

mydomain.com TXT v=spf1 ip4:212.118.254.242/31 ip4:208.86.144.242 ip4:204.90.130.118 ip4:204.90.130.121 ip4:192.33.34.0/24 ip4:205.211.178.40/30 ip4:149.235.225.40/30 ip4:67.231.144.228 ip4:67.231.152.222 ip4:216.119.217.33 ip4:216.119.209.33 include:thirdparty.net -all

 

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk