SPF DNS Lookup check for Nagios
Did you know that there is a max number of DNS lookups that can be done for an SPF lookup. The number is 10 and that includes any a or mx records along with includes to different hosts. I noticed this when I ran a SPF check on a domain and noticed it was 12. One of the errors is how Zendesk sets up their SPF record. For example their doc says use the following
v=spf1 include:_spf.zdsys.com ~all
Now that’s fine but if we do a
dig txt _spf.zdsys.com
That is one lookup and we get the following back
_spf.zdsys.com. 3600 IN TXT "v=spf1 include:_netblocks.zdsys.com ~all"
So they have another dns lookup. So in order to get to Zendesk’s valid servers you need to do an extra dns lookup. It adds up when you use google apps for email since they use around 5 lookups to get to all their hosts.
So I created a simple Nagios check in Python to keep tabs of our SPF record to make sure we stay under the 10 limit.