SPF verification via udp or tcp
Question asked by Robbie Wright - 6/30/2015 at 12:58 PM
Ran into an interesting issue this week with one of our clients attempting to receive mail, that we bounced for SPF permerror. The sending domain in question has a very large SPF record, broken into two include statements. It passes SPF validation with every tool available as it is under 10 DNS lookups and appears to have a valid syntax. However, the response is too large to query via UDP and TCP must be used. 
So can SM query SPF records via TCP? The mail in question came from a valid SPF source, but it appears the SPF logging on temp and perm errors are pretty limited.

2 Replies

Reply to Thread
Joe Wolf Replied
I believe this has more to do with your DNS resolver than SmarterMail. SmarterMail doesn't determine UDP or TCP... that's the job of the DNS resolver. It's a complicated issue because the original UDP limit was 512 bytes and there are still plenty of DNS servers out there that still adhere to this limit before going to TCP. EDNS0 took the UDP limit up to 4096 bytes before having to go to TCP. UDP is generally faster than TCP but is much harder to control. Many DDoS prevention techniques require all DNS queries via TCP. The bottom line is that I don't think SmarterMail knows if the query was via UDP or TCP, but your DNS resolver or one along the line of communication may not like DNS TCP traffic. DNS is very misunderstood and there are still a LOT of very old DNS resolvers out there.
Thanks, -Joe
Robbie Wright Replied
Have to dig into that more Joe, thanks for the info.

Reply to Thread