DMARC Analyzer - SPF Delegation

Updated

This article contains information on SPF Delegation, a service that allows domain owners to delegate SPF record management to Mimecast, enabling more than 10 lookups, eliminating duplicates, and simplifying SPF record updates through DNS management.

SPF Delegation is a service that allows the domain owner to delegate SPF record management to Mimecast.
Mimecast manages and hosts the SPF record, which prevents lookup limitations and duplicate entries.

Enabling SPF Delegation is only a one-time setup. The current SPF record configuration needs to be updated to set up SPF Delegation, which must be published by the DNS Manager or hosting company

Advantages of SPF Delegation

      • Allows having more than 10 lookups.
      • Authorized sources are added to the DNS Delegation service and are periodically checked for changes.
      • DNS Delegation will check all sources permitted to send an email on your behalf, including nested lookups, and will process their contents into chunks no bigger than a UDP package allows.
      • Eliminate duplicate SPF entries: the DNS Delegation service will filter out duplicate sources.

The image below illustrates a standard SPF lookup:

image.png

The image below illustrates a Delegated SPF lookup:

image.png

Domain setup for SPF delegation

  1. Click on the DNS Manager menu item.
  2. Select the domain to be updated.
  3. Edit the SPF record in the SPF Delegation overview: 
      • A record: Add the A record, and in the IPv4 CIDR column, fill in 32. In the IPv6 CIDR column, fill in 128.
      • MX record: Add the MX record, and in the IPv4 CIDR column, fill in 32. In the IPv6 CIDR column, fill in 128.
      • Include: Add all required includes. Only the included value itself needs to be added. E.g., If the include of Mimecast needs to be added (include:_netblocks.com), only add the value _netblocks.com in the tool.
      • IPv4: Add all IPv4 addresses. If the IPv4 entry has a range, i.e.,/22, then 22 is what you fill into the ‘CIDR’ column. If there is no range listed, fill in 32 into the ‘CIDR’ column
      • IPv6: Add all IPv6 addresses. If the IPv6 entry has a range, i.e.,/36, then 36 is what you fill into the ‘CIDR’ column. If there is no range listed, fill in 128 into the ‘CIDR’ column
      • Policy: Select to use either a soft-fail or a hard-fail policy. For active sending domains, a soft-fail policy is the best practice.
  1. Click on the Publish DNS Record button.

It is not recommended to add all sources, IPs, Includes, etc., in one go, as it is recommended to validate all SPF record adjustments thoroughly.

  1. At the bottom of the page, a DNS entry has been generated that needs to be published into the DNS record.
  2. Once the DNS entry has been published into the DNS, the SPF record will be hosted and can be managed by using the DNS manager without the need of an external DNS Manager.  

 

 

See Also...

FAQ – SPF Delegation

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.