search cancel

Sender Policy Framework validation may fail when validating SPF records with multiple Strings


Article ID: 161480


Updated On:


Messaging Gateway


After enabling Sender Policy Framework (under Sender Authentication on Symantec Messaging Gateway), the SPF validation may fail when the domain's SPF record contains multiple strings separated by double quotes ("). This issue will occur when the string interrpution in domain's SPF record is in the middle of a word (e.g. "v=spf1 string of t" "ext")

Example of domain's SPF record with multiple strings:    text = "v=spf1 ip4: i" " ip4: ip4: ip4: ~all"

Example of SPF validation as it appears on the receieved email's header:
Authentication-Results: symauth.service.identifier; spf=unknown
Example of the events shown by Maillog in debug level: 
2014 Nov 13 08:21:59 EST (info) ecelerity: [22353] [info]: SenderAuth module: Unable to retrieve a PRA.
2014 Nov 13 08:21:59 EST (info) ecelerity: [22353] [info]: SenderAuth module: Sender Authentication could not be performed.
2014 Nov 13 08:21:59 EST (debug) ecelerity: [22353] sieve: Original Authentication-Results header value: symauth.service.identifier; spf=unknown

Additional information:


From: Sender Policy Framework (SPF) RFC 7208

3.3. Multiple Strings in a Single DNS Record

As defined in [RFC1035], Sections 3.3 and 3.3.14, a single text DNS record can be composed of more than one string. If a published record contains multiple character-strings, then the record MUST be
treated as if those strings are concatenated together without adding  spaces. For example:

IN TXT "v=spf1 .... first" "second string..."

is equivalent to:

IN TXT "v=spf1 .... firstsecond string..."

TXT records containing multiple strings are useful in constructing records that would exceed the 255-octet maximum length of a character-string within a single TXT record.  


When Messaging Gateway (SMG) attempts to validate a domain whose SPF record contains multiple Strings and the line break is in the middle of a word, the SenderAuth module fail and can’t validate the sender.


Symantec is aware of this issue and will solve it as soon as possible. Please subscribe to this document to be automatically notified of any changes.

If you are trying to validate your own domain, please remove the break line if it’s possible.

Applies To

Symantec Messaging Gateway 10.5.2 with SPF validation enabled.