Mixing SPF records
I have the usual Google Apps SPF record in my DNS:
v=spf1 include:_spf.google.com ~all
and now, since we are using ZenDesk, I should also add:
v=spf1 include:support.zendesk.com ~all
Should they be merged into one like this:
v=spf1 include:_spf.google.com include:support.zendesk.com ~all
Yes, that is correct, unless _spf.google.com
includes a redirect (which it doesn't). In that case, include:_spf.google.com
should be moved to end of the list to avoid replacing all entries after the include with the redirect
Also, be aware that the RFC (IETF RFC4408) specifies that a maximum of 10 MX or PTR lookups should be allowed, after which, validation of a single record should be terminated. This is to ensure that an SPF parser doesn't get trapped in an endless lookup scenario (potential DoS'ing).
How does this apply in real life?
Let's say that both includes uses the "mx" mechanism, and that each has 6 distinct MX records. Now, when the first include (_spf.google.com
) has been processed, you only have 4 lookups left, so to speak. If the MTA that is being validated is on of the last 2 distinct MX records for the second include (support.zendesk.com
), the validation might actually fail even though you've include all the records correctly.
This is not the case for the above scenario, but it's worth taking into account, since not all companies think about this when designing their SPF structure. Just try to lookup, say, TXT for ebay.com and try to count the number of lookups that might result in ;-)