SPF verification via udp or tcp

Ran into an interesting issue this week with one of our clients attempting to receive mail, that we bounced for SPF permerror. The sending domain in question has a very large SPF record, broken into two include statements. It passes SPF validation with every tool available as it is under 10 DNS lookups and appears to have a valid syntax. However, the response is too large to query via UDP and TCP must be used.

So can SM query SPF records via TCP? The mail in question came from a valid SPF source, but it appears the SPF logging on temp and perm errors are pretty limited.

Joe Wolf Replied

7/1/2015 at 7:24 PM

I believe this has more to do with your DNS resolver than SmarterMail. SmarterMail doesn't determine UDP or TCP... that's the job of the DNS resolver. It's a complicated issue because the original UDP limit was 512 bytes and there are still plenty of DNS servers out there that still adhere to this limit before going to TCP. EDNS0 took the UDP limit up to 4096 bytes before having to go to TCP. UDP is generally faster than TCP but is much harder to control. Many DDoS prevention techniques require all DNS queries via TCP. The bottom line is that I don't think SmarterMail knows if the query was via UDP or TCP, but your DNS resolver or one along the line of communication may not like DNS TCP traffic. DNS is very misunderstood and there are still a LOT of very old DNS resolvers out there.

Thanks, -Joe

Robbie Wright Replied

7/6/2015 at 9:57 AM

Have to dig into that more Joe, thanks for the info.

2 Replies

Reply to Thread

Related Knowledge Base Articles

2 Replies

Reply to Thread

Tags

Related Knowledge Base Articles