Messaging Gateway SPF check fails when testing against SPF records with large, multivalued A records.

book

Article ID: 158010

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

The Symantec Messaging Gateway (SMG) sender authentication Sender Policy Framework (SPF) check, which compares the sender IP and domain to an encoded list of IP addresses that are authorized to deliver messages for that domain, can return a false SPF Failure verdict when processing some validly constructed SPF records.

Cause

When processing SPF records which contain an address record (A or AAAA) that resolves to a large number of IP addresses ( greater than 128 ) the SPF module may return an incorrect authentication failure. The chance of this occuring increases as the number of IP addresses in the multivalued DNS A record increases.

Example SPF Record

domain.com. IN TXT "v=spf1 a:mx.domain.com a:allservers.domain.com -all"

Example multivalued A Record

allservers IN A 9.16.24.1
allservers IN A 9.16.24.2
allservers IN A 9.16.24.3
...
allservers IN A 9.16.24.128
allservers IN A 9.16.24.129
allservers IN A 9.16.24.130

Resolution

This is a known issue and will be addressed in a future release.

At the moment there is no workaround other than to limit SPF authentication to a limited set of domains that you know are not affected by the issue via the Spam->Sender Authentication page.