HCHTech
Well-Known Member
- Reaction score
- 4,025
- Location
- Pittsburgh, PA - USA
Well this was a fun afternoon. My client calls me and reports that they can no longer send faxes with their efax account. "efaxsend.com couldn't confirm that your message was sent from a trusted location."
Ok, digging into the error details shows an SPF validation error. Further digging shows the rejection was because "Two or more type TXT spf records found." Well, that shouldn't be - somebody changed something. I lookup SPF on MXToolbox and sure enough, there are two records. The one I knew about and a new one, with an include statement to mailgun.org.
One call to the only other person who has access to DNS (the web developer) and "Yes, I added that as we changed the back end for their 'Contact Us' system."
I asked if they knew you couldn't have more than one SPF record....dead air on the phone. Ok, so I edited the DNS to combine the records and thought I was done. After some time for DNS propagation, I called the complainant and asked them to try it again. "Nope, still fails". More digging determined that this time the error is different: "Too many DNS lookups".
Back to MXToolbox, I see that our new & improved SPF record has 16 lookups. They don't show you the breakdown, but the tool on easydmarc.com does. I see the following for the 3 "include" domains:
softwarevendor.com - this one is required for their LOB software to send emails with status updates to their clients - 10 Lookups! (That's the limit right there)
spf.protection.outlook.com - standard M365 entry - 1 lookup
mailgun.org - 2 lookups
10 + 1 + 2 <> 16, but the softwarevendor.com entry has a tree of entries under it, including what appears to be a gsuite domain of xxxx.net where xxxx is the last name of one of the software vendor's developers who I know from having worked with them for more than a dozen years. That mess is probably why the count is higher.
So, this appears to be some problem created by the software vendor. I sent them a detailed email with screenshots & such. Hopefully they'll fix their screwup and I can get on with my life.
If they can't or won't fix it, I'll be forced to "flatten" the SPF record for their entry by hand-coding in all of the individual IPs that are normally looked up with the include entry. I'm not keen on this solution because it signs me up for maintenance of trying to find out if they ever change any of those IPs because if they do and I don't fix my SPF record, something is going to break, for sure.
How was your day?
Ok, digging into the error details shows an SPF validation error. Further digging shows the rejection was because "Two or more type TXT spf records found." Well, that shouldn't be - somebody changed something. I lookup SPF on MXToolbox and sure enough, there are two records. The one I knew about and a new one, with an include statement to mailgun.org.
One call to the only other person who has access to DNS (the web developer) and "Yes, I added that as we changed the back end for their 'Contact Us' system."
I asked if they knew you couldn't have more than one SPF record....dead air on the phone. Ok, so I edited the DNS to combine the records and thought I was done. After some time for DNS propagation, I called the complainant and asked them to try it again. "Nope, still fails". More digging determined that this time the error is different: "Too many DNS lookups".
Back to MXToolbox, I see that our new & improved SPF record has 16 lookups. They don't show you the breakdown, but the tool on easydmarc.com does. I see the following for the 3 "include" domains:
softwarevendor.com - this one is required for their LOB software to send emails with status updates to their clients - 10 Lookups! (That's the limit right there)
spf.protection.outlook.com - standard M365 entry - 1 lookup
mailgun.org - 2 lookups
10 + 1 + 2 <> 16, but the softwarevendor.com entry has a tree of entries under it, including what appears to be a gsuite domain of xxxx.net where xxxx is the last name of one of the software vendor's developers who I know from having worked with them for more than a dozen years. That mess is probably why the count is higher.
So, this appears to be some problem created by the software vendor. I sent them a detailed email with screenshots & such. Hopefully they'll fix their screwup and I can get on with my life.
If they can't or won't fix it, I'll be forced to "flatten" the SPF record for their entry by hand-coding in all of the individual IPs that are normally looked up with the include entry. I'm not keen on this solution because it signs me up for maintenance of trying to find out if they ever change any of those IPs because if they do and I don't fix my SPF record, something is going to break, for sure.
How was your day?
