How to resolve problems with spf / softfail?
You can only have one SPF record. Since you created four of them, which one actually gets used is essentially random. You should combine them together into a single record.
spf
PermError SPF Permanent Error: Void lookup limit of 2 exceeded
The void lookup limit was introduced in RFC 7208 and refers to DNS lookups which either return an empty response (NOERROR with no answers) or an NXDOMAIN response. This is a separate count from the 10 DNS lookup overall count. As described at the end of Section 11.1, there may be cases where it is … Read more
SPF fail vs. soft-fail pros and cons
Sondra, you already found a related question, but the highest scoring answer doesn’t do justice to your questions, in my opinion. Let me start with your last question: What is the likelihood that a forged phishing email which SPF SoftFails actually gets to someone’s inbox? Huge! Combined with DMARC quarantine/reject policy and the receiving mailbox … Read more
Workarounds for maximum DNS-Interactive terms limit exceeded in SPF record?
Mostly already answered, please do note including Google this way is wrong – you want to use _spf.google.com or incur a penalty for the redirect: ○ → host -t txt aspmx.googlemail.com aspmx.googlemail.com descriptive text “v=spf1 redirect=_spf.google.com” ○ → host -t txt _spf.google.com _spf.google.com descriptive text “v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all” That lookup will consume 5/10 … Read more
Can SPF records contain domain name wildcards?
No you can’t. That is not the correct SPF record, and it is not the correct address of Google’s SPF record. Anyone with the control of a reverse DNS domain can make any IP have any name he/she wants, like “google.com”, “whitehouse.gov”, etc. Allowing reverse matches at all would be very wrong. The “include” feature … Read more
SPF Record with or without plus
Technically, yes, there is a difference. According to the SPF Record Syntax, a plus sign (+) indicates that the record should pass, no questions asked. The absence of a plus sign, or the inclusion of a question mark (?) indicates neutral status — the domain owner is not offering an opinion about whether the message … Read more
Is there a way to align SPF for Google Apps alias domain?
Use the redirect modifier to “replace” the SPF record for the alias domain with that of the primary domain. Thus, the SPF record for aliasdomain.com ends up looking like this: v=spf1 redirect=primarydomain.com Note that no all mechanism is required, the final clause of the primarydomain.com record will apply.
DNS MX/SPF/DMARC records without actuall emails on domain
The point would largely boil down to being a good citizen and reducing abuse, like making your domain less useful for spammers to impersonate and to make it immediately clear to others that mail is not deliverable there. If the claim is accurate that the domain is not used for either sending or receiving email … Read more
How can I have an SPF record longer than 255 characters?
Yes, you are interpreting it correctly. I have recently dealt with this. This article was helpful to me: Can I have a TXT or SPF record longer than 255 characters? A notable example of this concept in practice would be the SPF record for cisco.com as of 2/25/2016: > ;; QUESTION SECTION: ;cisco.com. IN TXT … Read more
Do changes in SPF records take time to propagate?
Yes, there might be caching or other delays depending on how the zone is being edited (nsupdate results in fairly immediate changes, less so if some web front-end talks to a database that maybe eventually does something to update a zone), how zone transfers are done (the master DNS server might push changes, or the … Read more