堆栈内存溢出
  简体   繁体   English

SPF记录中的DNS查找过多

[英]Too many DNS lookups in an SPF record

 原文  2013-01-10 15:21:24       dns/ smtp/ mailchimp/ sendgrid/ spf

问题描述

My website needs to send out emails with Google Apps, SendGrid and MailChimp services. 我的网站需要使用Google Apps,SendGrid和MailChimp服务发送电子邮件。 Google Apps is used to receive and read incoming email to my domain. Google Apps用于接收和阅读我的域中的传入电子邮件。

I need to set the SPF record for my domain. 我需要为我的域设置SPF记录。 The following is syntactically correct (not sure about A and MX tokens): 以下语法正确(不确定A和MX标记):

"v=spf1 a mx include: _spf.google.com include: servers.mcsv.net include: sendgrid.net ~all" “v = spf1 a mx include: _spf.google.com include: servers.mcsv.net include: sendgrid.net ~all”

But if I test it with http://www.kitterman.com/getspf2.py I get 但如果我用http://www.kitterman.com/getspf2.py进行测试,我会得到

PermError SPF Permanent Error: Too many DNS lookups PermError SPF永久错误:DNS查找太多

Similar problem as http://www.onlineaspect.com/2009/03/20/too-many-dns-lookups-in-an-spf-record/ http://www.onlineaspect.com/2009/03/20/too-many-dns-lookups-in-an-spf-record/类似的问题

How can I optimize/rewrite my SPF record? 如何优化/重写我的SPF记录?

7 个解决方案

解决方案1
 67 已采纳  2013-01-10 16:37:02

So, I've never had to do this before, but based on the article you sent over, this is what I came up with. 所以,我以前从来没有这么做过,但根据你发来的文章,这就是我想出来的。

We started with: 我们开始: 

v=spf1 a mx include:_spf.google.com include:servers.mcsv.net include:sendgrid.net ~all

We get 10 total lookups before we throw the Too many DNS lookups error: 在我们抛出Too many DNS lookups错误之前,我们总共获得10次查找: 

  2 (Initial TXT & SPF Lookups)
  2 (a & mx Lookups)
  1 (_spf.google.com)
  1 (servers.mcsv.net)
 +1 (sendgrid.net)
 -----------------
  7 Lookups

So without even following the included SPF records, we have 7 lookups. 因此,即使没有遵循包含的SPF记录,我们也有7次查找。

Now, let's dive a level deeper. 现在,让我们深入了解一个级别。

1. _spf.google.com 1. _spf.google.com

The google SPF record evaluates to: Google SPF记录的评估结果为: 

v=spf1 include:_netblocks.google.com include:_netblocks6.google.com ?all

Each of which resolve to the following values: 每个都解析为以下值: 

# _netblocks.google.com
v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all

# _netblocks6.google.com
v=spf1 ip6:2607:f8b0:4000::/36 ip6:2a00:1450:4000::/36 ?all

So google gives us 2 more lookups, bringing the total up to 9 Lookups . 所以谷歌给了我们2次查找,总共最多9次查询

2. servers.mcsv.net 2. servers.mcsv.net

Mailchimp is a bit of a doosey because it adds a whole 3 extra lookups: Mailchimp有点愚蠢,因为它增加了3个额外的查找: 

v=spf1 include:spf1.mcsv.net include:spf2.mcsv.net include:spf.mandrillapp.com ?all

I would imagine that depending on what you're sending through Mailchimp, you might be able to remove one or two of these records (but you'll have to evaluated that yourself). 我想,根据您通过Mailchimp发送的内容,您可以删除其中一条或两条记录(但您必须自己评估)。

Anyway, those resolve to the following: 无论如何,这些决心解决了以下问题: 

# spf1.mcsv.net
v=spf1 ip4:207.97.237.194/31 ip4:207.97.238.88/29 ip4:207.97.240.168/29 ip4:69.20.10.80/29 ip4:69.20.41.72/27 ip4:74.205.22.1/27 ip4:69.20.90.0/26 ?all

# spf2.mcsv.net
v=spf1 ip4:204.232.163.0/24 ip4:72.26.195.64/27 ip4:74.63.47.96/27 ip4:173.231.138.192/27 ip4:173.231.139.0/24 ip4:173.231.176.0/20 ip4:205.201.128.0/24 ?all

# spf.mandrillapp.com
v=spf1 ip4:205.201.136.0/24 ip4:205.201.137.0/24 ?all

This brings us up to a total of 12 Lookups (Which is two over the limit already). 这给我们带来了总共12个Lookup (已超过限制的两个)。

2. sendgrid.net 2. sendgrid.net

SendGrid ends up being the fewest number of additional lookups for us. SendGrid最终成为我们最少的额外查找次数。 

v=spf1 ip4:208.115.214.0/24 ip4:74.63.202.0/24 ip4:75.126.200.128/27 ip4:75.126.253.0/24 ip4:67.228.50.32/27 ip4:174.36.80.208/28 ip4:174.36.92.96/27 ip4:69.162.98.0/24 ip4:74.63.194.0/24 ip4:74.63.234.0/24 ip4:74.63.235.0/24 include:sendgrid.biz ~all

So the only additional lookup here is sendgrid.biz , which evaluates to: 所以这里唯一的额外查找是sendgrid.biz ,其评估结果为: 

v=spf1 ip4:208.115.235.0/24 ip4:74.63.231.0/24 ip4:74.63.247.0/24 ip4:74.63.236.0/24 ip4:208.115.239.0/24 ip4:173.193.132.0/24 ip4:173.193.133.0/24 ip4:208.117.48.0/20 ip4:50.31.32.0/19 ip4:198.37.144.0/20 ~all

This brings our grand total up to 14 lookups. 这使我们的总计最多14次查找。

So our grand total is 14 Lookups . 所以我们的总计是14个Lookups We need to get that down to 10. I've outlined a couple of options below, you may need to use more than 1 of them to get it down. 我们需要将其降低到10.我已经在下面列出了几个选项,您可能需要使用其中的一个来降低它。

  1. Directly include some of the redirected spf records. 直接包含一些重定向的spf记录。 Now that we know which servers the spf records redirect to, you could cut out the middleman and include them directly. 现在我们知道spf记录重定向到哪些服务器,你可以删除中间人并直接包含它们。 Note: If any of the services end up changing their SPF records, you'll have to go through the process of updating yours manually. 注意:如果任何服务最终更改其SPF记录,您将必须手动更新您的SPF记录。

  2. Remove some of the services that you're using. 删除您正在使用的一些服务。 Not sure what your use case is for having all of these services, but there's definitely some overlap that you might be able to use. 不确定您拥有所有这些服务的用例,但肯定会有一些重叠您可以使用。 For instance, SendGrid supports (1) transactional outgoing mail, (2) newsletter / marketing emails, and (3) incoming mail. 例如,SendGrid支持(1)交易外发邮件,(2)时事通讯/营销电子邮件,以及(3)传入邮件。 So there may be some reducible redundancy. 因此可能存在一些可简化的冗余。

  3. Remove the MX record if it is redundant. 如果MX记录是多余的,请将其删除。 Depending on your setup, the MX lookup can be redundant. 根据您的设置,MX查找可能是多余的。

Hope this helps! 希望这可以帮助!

解决方案2
 6  2015-12-22 14:51:23

Swift's answer is excellent. 斯威夫特的答案很棒。

A technique which is not mentioned above is to look at whether separate subdomains with their own SPF records can be used for systems that send mail via these different routes. 上面没有提到的技术是查看具有自己的SPF记录的单独子域是否可以用于通过这些不同路由发送邮件的系统。

Eg if the domain is example.com , have google apps send from addresses like user@gapps.example.com . 例如,如果域名是example.com ,请从user@gapps.example.com地址发送谷歌应用程序。 Then there can be a SPF record for gapps.example.com which includes _spf.google.com , and _spf.google.com can be removed from the main example.com SPF record , which reduces lookups by 3. 然后,可以为gapps.example.com提供包含_spf.google.com的SPF记录,并且可以从主example.com SPF记录中删除_spf.google.com ,从而将查找减少3。

解决方案3
 4  2015-04-19 16:51:43

Have a look at SPF-tools * which help with reassembling the SPF record from the original one that uses includes into a static one containing merely ip4 and ip6 fields. 看一下SPF工具 *,它有助于将SPF记录从原来使用包含的包含到仅包含ip4ip6字段的静态记录重新组装。 It can be easily coupled together with locally-run DNS server or hosted DNS service using their API to keep everything in sync with the upstream includes. 它可以通过本地运行的DNS服务器或使用其API的托管DNS服务轻松地耦合在一起,以使所有内容与上游包含保持同步。

*I am the author (now along with other contributors) and it is open source under Apache 2.0 license. *我是作者(现在与其他贡献者一起),它是Apache 2.0许可下的开源。

解决方案4
 0  2016-08-04 06:06:23

We explored flattening the SPF records into IPs as well a creating subdomains. 我们探索了将SPF记录扁平化为IP以及创建子域。 All of them seemed like a lot of work. 所有这些似乎都是很多工作。 We found a service from spfproxy.org which literally takes a couple minutes to setup. 我们从spfproxy.org找到了一项服务,这需要几分钟的时间来设置。 They basically mask the DNS lookups behind them using SPF macros. 它们基本上使用SPF宏掩盖它们背后的DNS查找。 Not sure why more companies don't offer this. 不确定为什么更多的公司不提供此服务。

解决方案5
 0  2016-08-12 00:21:26

A few years ago I wrote hydrate-spf , a tool that looks up includes and merges the result into one giant record. 几年前,我写了hydrate-spf ,一个查找工具包括并将结果合并到一个巨大的记录中。 As mentioned in the README, this approach isn't ideal - it removes the ability for your included domains to update their records. 正如自述文件中所提到的,这种方法并不理想 - 它使您所包含的域无法更新其记录。 However, when you're bumping up against the allowed limit, it will solve the immediate problem, and can be kept somewhat maintainable through regular updates. 但是,当您遇到允许的限制时,它将解决当前的问题,并且可以通过定期更新保持一定程度。

解决方案6
 0  2017-12-31 02:59:26

The 10 lookup limit is a limit for DNS lookups. 10查找限制是DNS查找的限制。 Flattening the SPF record to include less DNS lookups and substituting them for IPs (flattening) is a way to get around the limit. 将SPF记录展平以包括较少的DNS查找并将其替换为IP(展平)是一种绕过极限的方法。

You could do this manually, but then you have to update your SPF records every time one of the providers changes their IPs (which happens frequently). 您可以手动执行此操作,但每次其中一个提供程序更改其IP(经常发生)时,您必须更新SPF记录。

The ideal solution is to use an SPF flattening service . 理想的解决方案是使用SPF展平服务 This one is free for low volumes, or cheap for more than 500 emails/month. 这个是免费的低容量,或便宜超过500个电子邮件/月。 It regularly polls the SPF records you want to include for updated IPs. 它会定期轮询您要包含更新IP的SPF记录。

Fraudmarc.com Fraudmarc.com

Disclosure: I am not associated with this company and this is not a referral link 披露:我与该公司无关,这不是推荐链接

解决方案7
 0  2018-09-15 05:47:44

This 10-DNS-lookup limit is imposed by SPF implementations to prevent DDoS attacks against the DNS infrastructure. SPF实施强制实施此10-DNS查找限制,以防止针对DNS基础结构的DDoS攻击。

With DMARCLY 's Safe SPF feature, you can lift the limit without rewriting your SPF record. 使用DMARCLY的安全SPF功能,您可以在不重写SPF记录的情况下解除限制。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 SPF记录 - DNS查找过多 - SPF Record - Too many DNS lookups SPF:DNS查询太多,但我只有10个? - SPF: Too Many DNS Lookups, but I Only Count 10? SPF记录,可以额外查询代发email - SPF record, can additional lookups send email on my behalf 如何为域名设置 SPF DNS 记录? - How to set up SPF DNS Record for a domain name? 如何为许多IP创建SPF记录(SPF超过255个字符) - How to create SPF record for many IPs (SPF longer than 255 characters) 多少个 DNS SRV 记录太多了? - How many DNS SRV records is too many? 多个DNS查找 - Multiple dns lookups DNS地理查询 - DNS Geo Lookups Apache强制DNS查找 - Apache force DNS lookups DNS - 具有不同限定符的多个 SPF - DNS - Multiple SPF with different qualifiers
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM