Freshdesk very long SPF record is a problem

  • 10 January 2022
  • 11 replies
  • 2052 views

Badge

Hi, we are using Freshdesk support desk and until now Freshdesk has been sending email’s on our behalf. This means that we have to add email.freshdesk.com to our SPF record. This means that Freshdesk alone adds 8 DNS queries to our SPF record and the standard allows for only 10 in total.

For comparison Microsoft adds two for the whole of Office 365.

Now, what i have feared has happened and we have passed the limit and our SPF record is not valid anymore. I don’t know if we added the one or if Freshdesk added another sub record.

There is really two problems, one is the size of the record to begin with and the other is that Freshdesk can add subrecords at anytime without any of their customers knowing and pushing that client over the limit.

I think therefore it is very important for suppliers that have SPF that is used by alot of customers to be very small and maintained correct.

One solution is to create your SPF record and then only add ip addresses to this record that you then maintain when something is moved or reconfigured. This would reduce the number of DNS queries from 8 to 1.

We are depended on our SPF, Dkim and DMARC to be perfect to run our business and we are therefore reconfiguring the service to send the mail directly through our Office 365 tenant so we can remove the records.

This can be a solution for other customers that have the same problem.


11 replies

Badge

Nothing, there is nothing to do. You need these SPF records to use the system that way and we can’t remove our own as we need them to send email from other systems.

 

so as i said, i’m avoiding the whole problem by changing the way i use Freshdesk. That might not be for everyone.

 

Freshdesk is taking up 80% of peoples SPF record. That’s way to much when it could be 10 or 20%

We're also having issues using SPF because of Freshdesk is taking up 80% of the record.

Now we've moved to an Office365 integration to avoid needing Freshdesk's SPF. Unfortunately we're running into other issues with a Message ID header being too long and e-mail is being marked as spam instantly by Cloudmark's software…

Badge

I believe that the new DKIM setup that was implemented can possibly solve this now.  When you go into the DKIM Settings (under Email Settings → Advanced Settings), one of the CNAMEs it asks you to create is “fwdkim1.<yourdomain>”.  When sending an email from your domain through the Freshdesk mail server, it uses that as the server address, so when checking the SPF it does a lookup of the TXT record on this CNAME, rather than on your root domain.  As a result of all this, you no longer need to have the Freshdesk domains in your root domain’s SPF record at all anymore, since it will use this CNAME instead.

This is alluded to in the Solution article here that mentions it has “SPF check within the DKIM records”:

https://support.freshdesk.com/support/solutions/articles/223779-email-domain-verification-using-dkim-records

I’ve implemented it this way on our domains and they are all passing SPF when sent through Freshdesk, although I made no changes to the root domain’s SPF record.

Userlevel 5
Badge +12

Hello @brian_c, our apologies for the delay in helping you in this thread. I am glad you were able to set up DKIM which is helping in solving this issue. However, for SPF records, instead of adding email.freshdesk.com, you can include sendgrid.net and any one of the region specific records that suits your account settings. 

SPF records

US - fdspfus.freshemail.io

EU - fdspfeuc.freshemail.io

AUS - fdspfaus.freshemail.io

INDIA - fdspfind.freshemail.io

 

I hope this helps in tackling the number of lookups made. We’ll certainly pass the feedback to our engineering team to see how we can optimise it better. Thanks for elaborating how DKIM covers SPF look up as well in your reply. 

 

Have a good day! 

This cuts the number of lookups to 4, if I’m not mistaken, because within each of those addresses (sendgrid.net and fdspfus.freshemail.io in my case) is yet another include (ab.sendgrid.net and fdspfus2.freshemail.io respectively).  Still too many - now freshdesk takes up almost half of the SPF instead of almost all… so an improvement but still not really acceptable the way things work today.

This cuts the number of lookups to 4, if I’m not mistaken, because within each of those addresses (sendgrid.net and fdspfus.freshemail.io in my case) is yet another include (ab.sendgrid.net and fdspfus2.freshemail.io respectively).  Still too many - now freshdesk takes up almost half of the SPF instead of almost all… so an improvement but still not really acceptable the way things work today.

 

 

Couldn’t agree more. Freshworks really needs to address this. We’re likely looking to switch from Freshsales for this among other reasons. We really want to use a bunch of the Freshworks suite of products, but it’s these type of backend oversights and poor implementation that break things, especially when security and reliable systems is critical. Email reputation is critical, so SPF, DKIM, and DMARC are absolutely necessary.

+1

This is a major problem for us - we need space in our SPF for other tools and FreshDesk having so many records is making it impossible for me to enable dmarc, which creates security risks for our organization.

Given they have been aware of this for four months and have done nothing, we have no option but to move to another service provider.

A note for Freshdesk - every other service provider using email I have come across has at most 2 DNS lookups - and some of them have way more complicated requirements than you. You’re argument that you need to have 8 is simply invalid and will undoubtedly cost you customers. Perhaps you should look at a delegation tool as a short term solution?

Userlevel 3
Badge +4

Hello @GlitchNZ, Good day:) I hope you are well!

Apologise for the delay in getting back to you. As mentioned earlier in the thread, you can add instead of adding email.freshdesk.com, you can include any one of the region-specific records that suit your account settings. 

SPF records

US - fdspfus.freshemail.io

EU - fdspfeuc.freshemail.io

AUS - fdspfaus.freshemail.io

INDIA - fdspfind.freshemail.io

Kindly have this checked and if you have any issues in setting up the SPF records feel free to DM us your queries I'd be happy to take this forward.

Cheers!!

Hi

I might be a bit late adding my input, but here goes:-

You can flatten it further by creating another couple of txt records and having them as includes in your first SPF record here’s what we used (without the rest of our includes):

yourdomain.com     

"v=spf1 include:_spffreshdesk.yourdomain.com include:_spffreshdesk2.yourdomain.com ~all"  

_spffreshdesk.yourdomain.com
"v=spf1 ip4:167.89.0.0/17 ip4:208.117.48.0/20 ip4:50.31.32.0/19 ip4:198.37.144.0/20 ip4:198.21.0.0/21 ip4:192.254.112.0/20 ip4:168.245.0.0/17 ip4:149.72.0.0/16 ip4:159.183.0.0/16 ip4:223.165.113.0/24 ip4:223.165.115.0/24 ip4:223.165.118.0/23 ~all"

_spffreshdesk2.yourdomain.com
"v=spf1 ip4:223.165.120.0/23 ip4:3.222.0.24/29 ip4:198.21.4.52 ip4:167.89.31.27 ip4:167.89.127.244 ip4:3.120.181.200/29 ip4:3.7.25.40/29 ip4:13.127.153.86 ip4:52.66.154.99 ip4:13.127.210.61 ip4:3.25.47.0/29 ~all"

But now we’re moving over to Mimecast’s managed SPF which works dynamically, so no more SPF worries I guess

Best regards

 

 

Hello @brian_c, our apologies for the delay in helping you in this thread. I am glad you were able to set up DKIM which is helping in solving this issue. However, for SPF records, instead of adding email.freshdesk.com, you can include sendgrid.net and any one of the region specific records that suits your account settings. 

SPF records

US - fdspfus.freshemail.io

EU - fdspfeuc.freshemail.io

AUS - fdspfaus.freshemail.io

INDIA - fdspfind.freshemail.io

 

I hope this helps in tackling the number of lookups made. We’ll certainly pass the feedback to our engineering team to see how we can optimise it better. Thanks for elaborating how DKIM covers SPF look up as well in your reply. 

 

Have a good day! 

this works for our customer 

Hey there, could I suggest adding this region specific trick to your primary SPF article:

https://support.freshdesk.com/en/support/solutions/articles/43170-creating-an-spf-record-to-ensure-proper-email-delivery

It seems like a good work around - though I’m waiting to confirm our emails still pass SPF checks.

Reply