allanwallace.uk : Blog

Office365 and mailhop - SPF - a small problem.


If you use Office 365 / outlook.com mailservers and also use mailhop mailservers for sending emails, you may find some of them are being quarantined or rejected
- and you may be wondering what the cause could be.

For Office365 / mailhop, the direct cause could be as simple as having the following two items in the SPF record for your domain:
include:spf.protection.outlook.com
include:outbound.mailhop.org


In this article I show you how to save 2 DNS lookups - fixing the SPF, and also saving 31 characters PER DNS lookup.
Sometimes it IS the little things that matter



CAUTION:
You can use the DNS record examples in this article to test the solution.
These are not for production use, as this is a server I test things with is rebooted regularly and may be offline.

To reiterate:

If you need to implement the solution specified in this article,
YOU MUST publish your own copies of the DNS records using a more resilient platform.


If you point to my DNS then this could lead to loss of emails as DNS lookups may fail without warning.
No warranty, neither expressed, nor implied. Errors & Omissions Exempted:.

Before we continue:
Many thanks to Scott Kitterman for his SPF Record Testing Tools
These are a valuable resource for learning about and testing
SPF compliance.




The Problem and solution:

Note:
I have already advised mailhop and mailchannels of this, but at time of writing the outbound.mailhop.org SPF record still requires 9 DNS lookups to process, and contained with it is include:relay.mailchannels.net which requires 3 of those DNS lookups on it's own.
If your email delivery is more important and can not wait until they implement a solution, there is one below, read on:

If at this point you are wondering how this SPF record could be a problem here's why:

When processing an SPF record for an inbound email, SPF has a lookup limit of 10 DNS lookups MAXIMUM.
Source: http://www.openspf.org/FAQ/Common_mistakes
(Opens in a new tab, http only at time of writing).

For the explanation, here is an example using the simplest SPF record for this combination of email providers:
v=spf1 include:spf.protection.outlook.com include:outbound.mailhop.org -all

In theory, this SPF record states:
"allow the servers specified by spf.protection.outlook.com and the servers specified by outbound.mailhop.org to send my emails"
-all states:
"Do not allow other servers to deliver my emails".

Looks good doesn't it?
- I'm afraid it isn't - at least not yet
There is a fix, but first to explain the problem:

If you only sent emails via mailhop, and had an SPF record like this:
v=spf1 include:outbound.mailhop.org -all
Then you have NO problem - only 9 DNS lookups are required to process the SPF - all is good with the world.



BUT if you send via outlook.com / Office365 servers as well as mailhop then:

spf.protection.outlook.com
requires 3 DNS lookups to process,

outbound.mailhop.org
requires 9 DNS lookups to process...

- and 12 DNS lookups in total does not comply with the specification for SPF.

The reason for the 10 DNS lookup limit in the specification for SPF is to reduce the risk of DoS attacks.
That being the case the logical thing is to try and see if this issue can be resolved.

At time of writing (6th October 2018 @ 14:57 BST) this problem with combining the SPF for:
spf.protection.outlook.com
and
outbound.mailhop.org
can be resolved quickly and fairly simply.

Here is the (numbered) chain of DNS lookups required in sequence to process the SPF record:

(1) spf.protection.outlook.com
(2) spfa.protection.outlook.com
(3) spfb.protection.outlook.com

(4) outbound.mailhop.org
(5) outbound._spf.mailhop.org
(6) smtp._spf.mailhop.org
(7) pmta1._spf.mailhop.org
(8) pmta2._spf.mailhop.org

(9)    relay.mailchannels.net
(10)     spf1.mailchannels.net
(11)     spf2.mailchannels.net

(12) smtp-eu._spf.mailhop.org


See the red ones? Those are the ones that are outside of the specification for SPF.

This completely breaks the SPF record.

If you are wondering why relay.mailchannels.net - a perfectly formatted SPF record - is in bold, here's why:

relay.mailchannels.net contains:
v=spf1 include:spf1.mailchannels.net include:spf2.mailchannels.net ~all
1 DNS lookup is required for spf1.mailchannels.net
1 DNS lookup is required for spf2.mailchannels.net

If we can remove these 2 DNS lookups we can solve this problem and fix the SPF record.

spf1.mailchannels.net contains this:
v=spf1 ip4:46.232.183.0/24 ip4:23.83.208.1/20 ip4:177.153.0.128/25 ip4:191.252.57.0/25 ~all
(total 92 characters - Why is this important? - read on)

spf2.mailchannels.net contains this:
v=spf1 ip4:199.10.31.235/32 ip4:199.10.31.236/32 ip4:172.255.62.10/32 ip4:172.255.62.11/32 ip4:103.18.109.138/32 ip4:177.153.0.130/32 ip4:54.214.232.113/32 ~all
(total 161 characters)

Why the number of characters is important:
There is a limit of 255 characters within a DNS TXT record.*
161+92 = 253 characters. It will easily fit in one TXT record .

* yes, well, sort of. More information later in this article.

If we combine the two TXT records together (and re-order the IP addresses in ascending order to aid manageability) we end up with this:
v=spf1 ip4:23.83.208.1/20 ip4:46.232.183.0/24 ip4:54.214.232.113 ip4:103.18.109.138 ip4:172.255.62.10 ip4:172.255.62.11 ip4:177.153.0.128/25 ip4:177.153.0.130 ip4:191.252.57.0/25 ip4:199.10.31.235 ip4:199.10.31.236 ~all
(total 220 characters)
Saving 11 characters by de-duplicating v=spf1 and v=spf1,
and 20 characters by removing /32 - as it is not required by the specification for SPF.


If we publish this as a DNS record somewhere else:

relaymailchannelsspf.allanwallace.uk
e

then publish a version of the outbound.mailhop.org SPF record that hadrelay.mailchannels.net replaced with relaymailchannelsspf.allanwallace.uk:

proof.allanwallace.uk
e

Then we end up with this SPF record:
v=spf1 include:spf.protection.outlook.com include:proof.allanwallace.uk -all

Which I published as:

office365mailhopfix.allanwallace.uk


Then we end up with this chain of DNS lookups:

(1) spf.protection.outlook.com
(2) spfa.protection.outlook.com
(3) spfb.protection.outlook.com

(4) outbound.mailhop.org
(5) outbound._spf.mailhop.org
(6) smtp._spf.mailhop.org
(7) pmta1._spf.mailhop.org
(8) pmta2._spf.mailhop.org

(9)    relaymailchannels.allanwallace.uk

(10) smtp-eu._spf.mailhop.org


And when you test the office365mailhopfix.allanwallace.uk SPF record:
v=spf1 include:spf.protection.outlook.com include:proof.allanwallace.uk -all
at Kitterman's SPF Query Tool you get this:
evaluating... <a href=SPF record passed validation test with pySPF (Python SPF library)!">

i.e. Problem Solved.

So this is what we have achieved:
1 - we've cured the issues of compliance with the specification for SPF, making an SPF record that functions correctly, exactly as desired
2 - we've reduced the number of DNS lookups required, saving DNS lookups, which saves time, bandwidth, processing cost
3 - we've reduced the number of characters returned by three of the TXT records by combining them into one, saving time, bandwidth, processing cost
4 - we've increased the manageability of the original relay.mailchannels.net SPF record, by completely putting the ip4: addresses in ascending order
5 - we've further reduced the size of the SPF record by removing /32 from the end of ip4: addresses. (SPF specification DOES NOT REQUIRE IT!)

There are some caveats of course, you have to monitor all the SPF records for changes, especially relay.mailchannels.net.

If you want assistance with this type of issue, contact sales@systemforce.co.uk for a quote.


Right, now there are some additional points I skimmed on earlier, here is a bit more about them.

DNS TXT record limit of 255 chars:
Well, you can have longer ones - multiple records each of no more than 255 chars enclosed within speechmarks - but this can have it's own related set of problems.


Last Updated 2019/06/19 00:11 CET.

Cookie Policy
Privacy Policy
Security Policy
Terms & Conditions

blog.allanwallace.uk © 2019 Allan Wallace