spf/dkim advanced check
After last week’s tidying up, I’ve made a priority list for my weekly goals.
It was getting longer and harder to sort…
Until I got a call from a complaining partner
for all messages rejected by mailsecurity.swisscom.com.
The explanation for the bounced message concerned the missing DKIM signature. Which actually was there.
After a thorough investigation, it emerged that the SPF check reported:
Too many included lookups (15), which according to RFC7208, should be limited to max 10:
SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier. If this number is exceeded during a check, a PermError MUST be returned. The "include", "a", "mx", "ptr", and "exists" mechanisms as well as the "redirect" modifier do count against this limit. The "all", "ip4", and "ip6" mechanisms do not require DNS lookups and therefore do not count against this limit.
In these cases, the mxtoolbox SPF check can help,
because it shows in detail all “includes” and “sub-includes”.
Changes to the TXT record are not under the control of the smtp server vendor.
RealSender had already set up an automatic verification and an internal alert,
to make sure there are no “-all” settings that prohibit sending.
Using the well-working application tester.realsender.com,
a daily “advanced check” of all authorized senders is now in place.
At the moment it only checks that the TXT settings do not generate errors.
These could be for example:
- Error Two or more type TXT spf records found (if the TXT records are more than one)
- Permanent Error: No valid SPF record (if just one “include” doesn’t answer correctly)
- Permanent Error: include has trivial recursion (if there is an “include” to the same domain)
These are important issues, because all messages sent may be rejected because of them.
I have already notified some customers, requesting to fix the TXT records.
The second check is against DKIM authentication.
It points out all responses except “dkim-pass” or “dkim-diff”.
The few reports found are misconfigurations, which were promptly resolved.