SPF record with REDIRECT and INCLUDE

Asked 1/6, 2018 at 7:3 Answered 18/12, 2018 at 12:30

So I have to make an SPF record for a shared domain - 2 mailsystems, one is Office 365. Normally it looks like this:

“v=spf1 mx include:MAIL_SERVER include:spf.protection.outlook.com ~all”

It's quite straight forward, if it has been configured like this beforehand:

“v=spf1 mx include:MAIL_SERVER ~all"

But I have a different situation, where it is like this:

“v=spf1 mx redirect:_spf.PROVIDERSERVER.COM"

I am not sure, it I can do it like this:

“v=spf1 mx redirect:_spf.PROVIDERSERVER.COM include:spf.protection.outlook.com ~all”

Is it going to work like this? If not, then what should be changed?

Ichthyornis answered 1/6, 2018 at 7:3 Comment(0)

The redirect is a modifier rather than a mechanism, and will only be considered after all other mechanisms have been tested. Unlike an include, once a redirect has been navigated it will not return to evaluate further terms, and although your positioning isn't invalid for clarity it should appear as the last term in the record since it will only be evaluated after all the other terms have been tested and passed over. ie its position in the SPF record will not determne its order of processing.

If any alternative mechanism term is satisfied in the record then the processing will stop at that term and return the evaluated condition, this includes any all mechanism that may be present. Therefore you cannot use redirect in combination with all, because the all mechanism will always be tested and satisfied first, and the redirect will never be processed. Of course, any all mechanism in the redirected domain's SPF would still apply if reached, unlike the -all in an include which would be ignored by returning not-matched to the include mechanism call. (Caveat: if a +all is encountered within a traversed include it will return matched, and trigger whichever result has been prepended to that include, usually a default + .)

It's worth noting that any redirected domain's own SPF may contain further redirects, and they would cascade as expected. However each redirect counts towards the lookup count limits.

So in summary you would want to use something like...

“v=spf1 mx include:spf.protection.outlook.com redirect=_spf.PROVIDERSERVER.COM”

Intertwine answered 4/6, 2018 at 15:17 Comment(2)

could you just clarify, why the MX part is after include? – Ichthyornis 6/6, 2018 at 6:33

That was simply an oversight on my part, it would be valid syntax but you're right it could make a difference because It would only try to resolve the mx mechanism after the include, so may have already reached an SPF FAIL before mx was considered. I've edited my answer to reflect your question more accurately. Thanks. – Intertwine 6/6, 2018 at 7:30

I'm not sure on this, but here goes a guess! The docs say that redirect entirely replaces the current record, so I would expect it to ignore all other clauses - but it also evaluates from left to right, so maybe it would do the mx lookup first - you could test that manually.

I'm not sure why you're looking at redirect in the first place.

I suspect you could achieve what you're aiming for with:

"v=spf1 mx include:_spf.PROVIDERSERVER.COM include:spf.protection.outlook.com ~all"

Acne answered 1/6, 2018 at 7:30 Comment(0)

Ass an addon to earlier answers.

From the RFC, section 6.1 on the redirect modifier it reads:

This facility is intended for use by organizations that wish to apply the same record to multiple domains. For example:
 la.example.com. TXT "v=spf1 redirect=_spf.example.com"
 ny.example.com. TXT "v=spf1 redirect=_spf.example.com"
 sf.example.com. TXT "v=spf1 redirect=_spf.example.com"    
_spf.example.com. TXT "v=spf1 mx:example.com -all"
In this example, mail from any of the three domains is described by the same record. This can be an administrative advantage.

Note: In general, the domain "A" cannot reliably use a redirect to another domain "B" not under the same administrative control. Since
the stays the same, there is no guarantee that the record at domain "B" will correctly work for mailboxes in domain "A",
especially if domain "B" uses mechanisms involving local-parts. An
"include" directive will generally be more appropriate.

And, a redirect modifier MUST not be combined with an all mechanism:

For clarity, any "redirect" modifier SHOULD appear as the very last
term in a record. Any "redirect" modifier MUST be ignored if there
is an "all" mechanism anywhere in the record.

Considering all this, I would suggest to go with the syntax as provided by @Synchro. Although it is not against the rules, it is highly unusual to combine mechanisms with the redirect modifier.

Multiplex answered 18/12, 2018 at 12:30 Comment(0)

-1

As far as I know ( / understand https://www.rfc-editor.org/rfc/rfc7208#page-26) you can do the record from the last example. The redirect modifier will be used if everything else fails, meaning it will be the last thing checked).

Note that according to this same RFC the redirect modifier is recommended to be at the end of the record, before ~all.

Fascinate answered 1/6, 2018 at 7:34 Comment(1)

This is misleading, the documentation doesn't recommend placing the redirect 'before ~all', but actually says... 'Any "redirect" modifier MUST be ignored if there is an "all" mechanism anywhere in the record' – Intertwine 13/5, 2019 at 11:2

Recommended topics

Hot tags