Unable to Validate Records for DNS when adding custom email address to Status Page Notifications

chris.rutte January 28, 2021

Hi,

We are trying to setup our domain for the Status Page emails to our customers (so we want to avoid them being sent from noreply@statuspage.io).

  • I added our email address in the portal (status@peachpayments.com)
  • We added all DNS values in our Google Domains Backend
  • When we Validate the values it tells us for all records: "It doesn't look like the correct record has been set yet."

 

Screenshot 2021-01-28 at 10.37.41.pngWe tried:

  • Created the SPF and Domain ownership records with different hostnames (because of clashing keys)
  • Removed the sts-zendesk include and when that didn't work, also removed the sts-pg.customer.com include to resolve the issue with too many DNS lookups.

 

Also there is a message at the bottom that says:

When resolving your SPF record, more than 10 DNS requests were required. Unfortunately this means the SPF record is invalid. You'll need to explore ways to reduce the number of DNS lookups in your SPF record. Maybe you can remove some includes?

Though the expected value above includes what we need, it will unfortunately not work as is. SPF has a hard limit of 10 DNS lookups, and adding the "include:stspg-customer.com" bit will tip your record over that limit. Please find a way to reduce DNS lookups in the rest of your SPF rules, or contact our support team for more help.

 

Do you have any ideas what we can look into to get this sorted?

 

Any help is appreciated!

1 answer

0 votes
Egor
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 28, 2021

Hi Chris
Egor here with the StatusPage team, thanks for reaching out!

The 10 DNS Lookup limit for SPF records is a hard limitation of the spec itself, and one that we would not have any way to directly bypass or ignore. In order to address this error and ensure a valid SPF record, there are two primary options we suggest:

1. Optimize your current record. If there are any unused ips or includes for services still referenced in the record, or unnecessary a or mx lookups taking place, removing those will reduce your DNS lookups. This may take some research and testing by you and your team.

2. Utilize a unique subdomain for StatusPage emails. By changing your 'From' email from <noreply@company.com> to something like <noreply@notifications.company.com>, that will give you a clean SPF record on <notifications.company.com> to utilize, avoiding the lookup limit.

 The 10 DNS lookup limit is not a limit on how many 'includes' can be referenced inside of an SPF record, but a limit on how many DNS lookups in total can be used to resolve the entire SPF record. RFC 4408 section 10.1 (https://tools.ietf.org/html/rfc4408#section-10.1) goes into some specific details, but in short each 'include' can count as 1 or more DNS lookups, depending on what records are set inside the included domain.

A great tool to visualize DNS lookups is this DMARCIAN SPF Survey, where you can just put in a domain and it enumerates all the DNS lookups that are done: https://dmarcian.com/spf-survey/

In the case of peachpayments.com there are currently 16 DNS lookups required to resolve the SPF record.

Should you need any other information or help, please do let me know.

Best wishes,
Egor

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events