Ahh, the joys of computing. My plan for a 30 minute task dissolves once more into 3 hours of head scratching. As always, the solution was ridiculously easy.
The aim: To add Spam Protection Filter/Sender Policy Framework to our DNS.
The problem: Having more than one TXT entry wasn’t possible with my DNS provider (and if it was, it would have created an error)
The solution: Put all the TXT strings in the same TXT entry field, ensuring a space character is present WITHIN the strings if multiple strings are to be concatenated.
The TL;DR detail:
We use google apps, so google conveniently suggest the SPF code to use. At the time of writing, that’s:
To create an SPF record for a domain:
Log in to the administrative console for your domain.
Locate the page from which you can update the DNS records.
You may need to enable advanced settings.
Create a TXT record containing this text: v=spf1 include:_spf.google.com ~all
Publishing an SPF record that uses -all instead of ~all may result in delivery problems. See Google IP address ranges for details about the addresses for the Google Apps mail servers.
If your registrar also requires a host setting (such as @), see the TXT records for specific domain providers list for precise instructions.
Save your changes.
Keep in mind that changes to DNS records may take up to 48 hours to propagate throughout the Internet.
If you have difficulty creating an SPF record, contact your domain provider for assistance.
Which sounded so easy, except adding that to my DNS hosted with gandi failed with an error about a duplicate line.
The duplicate was a google site verification entry also using the txt field. From reading about BIND, it appears TXT fields can be on multiple lines but will be consolidated later. I guess the Gandi interface want’s you to do the consolidation yourself.
So for me, the correct SPF and Google Site Verifcation code look like this:
@ 300 IN TXT "v=spf1 a include:_spf.google.com ~all " "google-site-verification=1-3-y-blah"
Notice: The two strings enclosed by speach marks. I could have done this as one long string but I think I’ll find adding any other TXT entries easier if I can see where each one starts and finishes. Actually, I’ve simplified my TXT entry for the blog, I also list a couple of server IP’s and eventually will need to add some IP6 addresses. The a in SPF records appears to only picks up the domains @ host, not every single host in a domain.
Notice: The extra space character within the SPF string – because …~all” “goog… gets concatenated to …~allgoog… with the missing space causing a PERMERROR for SPF validation and probably breaking the site verification too.
Notice: using 300 seconds for the life is fine for testing but probably wants increasing to a larger number once you know it’s working. I’m going for 43200 seconds which is 12 hours.