Messaging Gateway SPF check fails when testing against SPF records with large, multivalued A records.
Last Updated May 14, 2013
The Symantec Messaging Gateway (SMG) sender authentication Sender Policy Framework (SPF) check, which compares the sender IP and domain to an encoded list of IP addresses that are authorized to deliver messages for that domain, can return a false SPF Failure verdict when processing some validly constructed SPF records.
When processing SPF records which contain an address record (A or AAAA) that resolves to a large number of IP addresses ( greater than 128 ) the SPF module may return an incorrect authentication failure. The chance of this occuring increases as the number of IP addresses in the multivalued DNS A record increases.
Example SPF Record
domain.com. IN TXT "v=spf1 a:mx.domain.com a:allservers.domain.com -all"
Example multivalued A Record
allservers IN A 184.108.40.206 allservers IN A 220.127.116.11 allservers IN A 18.104.22.168 ... allservers IN A 22.214.171.124 allservers IN A 126.96.36.199 allservers IN A 188.8.131.52
This is a known issue and will be addressed in a future release.
At the moment there is no workaround other than to limit SPF authentication to a limited set of domains that you know are not affected by the issue via the Spam->Sender Authentication page.
Imported Document ID: TECH206206
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe