Flatten/Minimize SPF record _spf.salesforce.com to improve DNS efficiency - Ideas - Salesforce Trailblazer Community
Trailblazer Community

All Ideas

Idea Details

Post an Idea
110  Points
Idea has been posted. Give it an upvote or downvote.

Flatten/Minimize SPF record _spf.salesforce.com to improve DNS efficiency

Opportunities & Quotes

If you run a service which might be responsible for sending mails on behalf of a customer, and consequently have an SPF record they need to "include:" in their own, I think that you should probably review it and see if you have an excessive number of DNS lookups in your SPF record.

The problem is that if a customer of more than one of these mail service providers, and they have multiple include elements in their SPF record, it’s all too easy to breach the 10 DNS lookup limit, which could lead to random email loss (recipient MTAs giving up on DNS lookups and bouncing/rejecting legitimate emails).

For instance (at the time of writing), include:_spf.salesforce.com resolves to the following: -

"v=spf1 include:_mtablock1.salesforce.com ip4: ip4: ip4: ip4: ip4: ip4: ip4: ~all"

which leads to include:_mtablock1.salesforce.com: -

"v=spf1 ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ~all"

Now, most of the SPF include records I’ve seen, are perfectly able to live in a single, long DNS record - longer than 255 characters - simply by separating them with '" " ' (an end quote, a space, a start quote and a space) - these breaks are not seen in the final record - See the Internet Systems Consortium Knowledge Base article, Can I have a TXT or SPF record longer than 255 characters? (https://kb.isc.org/article/AA-00356/0/Can-I-have-a-TXT-or-SPF-record-longer-than-255-characters.html)

You can easily check the number of DNS lookups an SPF record requires, using dmarcian - SPF Surveyor (https://dmarcian.com/spf-survey/_spf.salesforce.com).

In your case, you could flatten/minimise the records like so (the record is 2x <255 character sections): -

_spf.salesforce.com IN TXT "v=spf1 ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4:" " ip4: ip4: ip4: ip4: ip4: ip4: ip4: ~all"

This change above, will allow the customer to safely include: your SPF record in theirs, so that you can continue to maintain the list of your IPs.  Any solution that suggests that the customer put your IPs directly into their SPF record, is untenable.

I firmly believe that this small improvement in efficiency (1 fewer DNS lookup), as well as benefiting my company (as our SPF record is overcrowded), it should have a positive effect on the number of DNS queries the SalesForce DNS service will have to perform (~half as many). A 50% reduction in DNS server resources! I have no idea how large your infrastructure is, but that sort of increase in efficiency, could actually equate to a tangible cost saving.

Merge Idea · Flag

  • Upvotes
  • Downvotes



from AppExchange


No results found.

Help us to keep IdeaExchange clean by pointing out overlapping ideas. We'll investigate your suggestion and merge the ideas if it makes sense.



Thanks for your merge suggestion. We will review it shortly and merge the ideas if applicable.

Salesforce takes abuse situations very seriously. Examples of abuse include but are not limited to posting of offensive language or fraudulent statements. To help us process your request as quickly as possible, please fill out the form below describing the situation. For privacy and security reasons, the final outcome of an abuse case may not be revealed to the person who reported it.


Thank you for your feedback. We take abuse seriously and will investigate this issue and take appropriate action.