I saw an interesting discussion about SPF and email infrastructure on hackernews.
- No space between directives:
"v=spf1 ip4:192.0.2.0/24 include:example.org-all"
- Space inside a directive:
"v=spf1 ip4:192. 0.2.0/24 -all"
- Bad mechanism:
"v=spf1 ipv4:192.0.2.1 -all"
- No mechanism:
"v=spf1 192.0.2.1 example.com"
- = instead of :
- Unicode in SPF, mostly dashes (but I’ve seen zero-width spaces too):
- Two SPF records for the same domain:
"v=spf1 mx:example.com -all", "v=spf1 include:example.net ?all"
The official SPF record format is defined in Section 3 of RFC 7208
citrin_ru also points out that there is a limit on the length of SPF entries, based on a 255 character limit for TXT-type DNS records. You can have a longer SPF record by setting it up as multiple TXT entries (note that according to section 3.3 of the RFC, they will be concatenated without a space – so you have to factor in the space character).
Personally, I ran into problem #6 before: copy and pasting an SPF definition from vendor docs in a Microsoft Word format. Word automatically converted the ASCII “hyphen-minus” character in “-all” into an “en dash” Unicode character. This broke the SPF record.
Another issue I saw had less to do with SPF formatting and more with underlying infrastructure. To let a Marketing Automation system send email on a business’ behalf, we used the include mechanism to include the vendor’s own SPF record (which had a listing of all IP ranges it mails from). Unfortunately, we were on a brand-new IP address that the vendor hadn’t yet put into their own domain’s SPF record. The SPF checks failed because the sending IP was not found either in the business’ SPF record or in the vendor’s SPF record.
On an unrelated, melancholy note, user thaumaturgy had an interesting post explaining how email is changing because a few big players are taking control of it. We are exiting the “gold rush” small-stakeholder phase of the Internet and entering the “robber baron” gilded age phase. Next up – monopoly breakups, government regulation and a slow-and-steady growth phase.
Gmail came along and decided that, because they were operating “at scale”, they didn’t need to play in the same ecosystem. Over the years, ensuring that a message lands in a Gmail user’s inbox has turned in to an infuriating game of trial-and-error. Gmail can do this because they now manage between 40% and 60% of the internet’s email traffic.
AT&T/SBCGlobal/Yahoo/whoever they are now seem to have recently penalized all of Linode’s and DigitalOcean’s IP space. I deployed several mail exchanges and didn’t have any luck reaching any addresses managed by AT&T’s network. And, again, there’s nobody I can kibbutz with to resolve it.