Messaging Gateway SPF check fails when testing against SPF records with large, multivalued A records.


Article ID: 158010


Updated On:


Messaging Gateway


The Symantec Messaging Gateway (SMG) sender authentication Sender Policy Framework (SPF) check, which compares the sender IP and domain to an encoded list of IP addresses that are authorized to deliver messages for that domain, can return a false SPF Failure verdict when processing some validly constructed SPF records.


When processing SPF records which contain an address record (A or AAAA) that resolves to a large number of IP addresses ( greater than 128 ) the SPF module may return an incorrect authentication failure. The chance of this occuring increases as the number of IP addresses in the multivalued DNS A record increases.

Example SPF Record IN TXT "v=spf1 -all"

Example multivalued A Record

allservers IN A
allservers IN A
allservers IN A
allservers IN A
allservers IN A
allservers IN A


This is a known issue and will be addressed in a future release.

At the moment there is no workaround other than to limit SPF authentication to a limited set of domains that you know are not affected by the issue via the Spam->Sender Authentication page.