Domain Name System – How Adding Another TXT Record Affects SPF Authentication

domain-name-systemspf

I am using multiple mail services for my domain sliver.proteuslake.asia, such as Mailjet, Google, and Atlassian. I have already added three TXT records for my domain:

  • "v=spf1 include:spf.mailjet.com ?all"

  • "atlassian-sending-domain-verification=fb8692b2-027c-4abc-8ce7-311fd467211e"

  • "google-site-verification=DQ0PYy6fwkssvVgmuTx0-eU-kMGZoaCKvXX2wWTZD-I"

These records are used for different purposes, such as verifying my domain ownership and allowing Mailjet to send emails on my behalf.

I want to add another TXT record for a different purpose, but I am not sure if it will affect the SPF authentication method. SPF is an email authentication method that uses the DNS to authorize which IPs can send mail on behalf of my domain. The receiving mail server checks the SPF record of the sender's domain to verify that the sender's IP address is authorized.

Will adding another TXT record impact the SPF authentication method? If yes, how can I avoid it? If no, why not?

Best Answer

It shouldn't

The receiving server will check for a single TXT record that starts with "v=SPF1". The number of TXT records at the domain level does not matter.

However, when the results of a DNS query are above a certain size, the DNS service will send back the first set of bytes and flag the response as truncated. This will prompt the client to retry the query over TCP instead of UDP. Since the SPF lookup for a domain is for any TXT records at the root of the domain, all TXT records are returned. So, when you publish many TXT records at the same domain as your SPF record, the chance increases you're exceeding the UDP limit.

This should not be an issue, per se. But, I've seen some TempErrors occur with some mailbox service providers where those do not attempt a second lookup over TCP. This can cause issues, for example when you have a restrictive DMARC policy set (p=reject or p=quarantine) and DKIM fails or isn't present. DMARC evaluation then relies on SPF results (and alignment) and an Error will fail it.

This answer explains the DNS behaviour better than I could: https://superuser.com/questions/1411657/why-dns-look-up-is-udp

Another way

Some services allow you to use a different (sub)domain for SPF checks than the domain used in the FROM header of the email. Since SPF is checked on the Return-Path address, where bounces are sent, you can use a different domain for your SPF record than where you publish the TXT verification records. This will also help towards staying away from the 10-lookup limit for SPF queries. Although not all service providers support such a setup, it will help reduce the size of the top level record when they do.

Related Topic