Thanks all, My question still was: Suppose I comply with all the recommendations and best practices in composing my SPF records... Do I still need to worry about the number of IP addresses (v4/v6/ciders) that I put in each record?
I guess if I could really stick with sub 512 bytes records, I could not put more than 20ish ip4 mechanisms and even less if including ip6 ones. And using includes I could not have more than 10 of such records. On Sun, Feb 23, 2020 at 7:54 PM Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > On Sun, Feb 23, 2020 at 06:44:34PM -0500, Mohamed Lrhazi wrote: > > > record flattening is the process of replacing include, and other lookup > > generating mechanisms, with their resulting ip addresses. > > My question is how many IPs can one put in a single spf record? > > > > It appears the RFC does not touch on this, so I guess it’s left to the > > implementors to decide, and from my limited tests it seems to vary a lot. > > The most recent BCP recommendation for UDP DNS buffer size selection is > 1232 bytes. Therefore your TXT record along with any other DNS overhead > (including any DNSSEC signatures if your domain is signed) should fit > into at most 1232 bytes. You can test with: > > dig +norecur +dnssec +novc -t txt example.com @ns1.example.com > > (where ns1.example.com is replaced by a suitable authoritative > server for the domain), and see how big the response is. > > Some resolvers may limit DNS resposes further, and responses of 512 > bytes or less are sure to be sufficiently small. > > FWIW, google seems to have comparatively small SPF text records, and > even advertises 512 bytes as the EDNS buffer size, but google.com is > unsigned, so the small UDP limit becomes more practical. > > $ dig +norecur +dnssec +novc -t txt _netblocks.google.com @ > ns1.google.com > ... > _netblocks.google.com. 3600 IN TXT "v=spf1 ip4: > 35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 > ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 > ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all" > ... > ;; MSG SIZE rcvd: 286 > > $ dig +norecur +dnssec +novc -t txt _netblocks2.google.com @ > ns1.google.com > ... > _netblocks2.google.com. 3600 IN TXT "v=spf1 > ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 > ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all" > ... > ;; MSG SIZE rcvd: 218 > > -- > Viktor. >
