SPF DNS Lookup check for Nagios

Did you know that there is a max number of DNS lookups that can be done for an SPF lookup. The number is 10 and that includes any a or mx records along with includes to different hosts. I noticed this when I ran a SPF check on a domain and noticed it was 12. One of the errors is how Zendesk sets up their SPF record. For example their doc says use the following

v=spf1 include:_spf.zdsys.com ~all

Now that’s fine but if we do a

dig txt _spf.zdsys.com

That is one lookup and we get the following back

_spf.zdsys.com. 3600 IN TXT "v=spf1 include:_netblocks.zdsys.com ~all"

So they have another dns lookup. So in order to get to Zendesk’s valid servers you need to do an extra dns lookup. It adds up when you use google apps for email since they use around 5 lookups to get to all their hosts.

So I created a simple Nagios check in Python to keep tabs of our SPF record to make sure we stay under the 10 limit.

About mike
Currently works for Recurly as a Senior Linux Admin. He has a wonderful wife Thanuja and 2 great children (Anusha and Brandon). His major side project is Photoblog.

  • John Sellens

    Thanks for this Mike – just for those curious, the 10 limit is in RFC 4408 in sections 5.5 and 10.1 – look for the phrase “at most 10″

  • Skyler

    Hey Mike,

    Thanks for posting this, it’s exactly what I’ve been looking for to keep track of our records. One thing I cannot figure out (I’m insanely new to coding) is why I can’t seem to get it to ask me for the domain name first, then put the domain in to query. I’m getting some sort of weird IndexError: Index out of range for line 20. Do you happen to know why, and could you explain it?

    • http://www.zcentric.com mike

      paste the stacktrace on a site like pastebin.com and let me know the url to take a look