Visit Freshworks.com Visit Freshworks

Freshdesk very long SPF record is a problem

  • 10 January 2022
  • 23 replies
  • 3483 views
L
Rank
Badge

Hi, we are using Freshdesk support desk and until now Freshdesk has been sending email’s on our behalf. This means that we have to add email.freshdesk.com to our SPF record. This means that Freshdesk alone adds 8 DNS queries to our SPF record and the standard allows for only 10 in total.

For comparison Microsoft adds two for the whole of Office 365.

Now, what i have feared has happened and we have passed the limit and our SPF record is not valid anymore. I don’t know if we added the one or if Freshdesk added another sub record.

There is really two problems, one is the size of the record to begin with and the other is that Freshdesk can add subrecords at anytime without any of their customers knowing and pushing that client over the limit.

I think therefore it is very important for suppliers that have SPF that is used by alot of customers to be very small and maintained correct.

One solution is to create your SPF record and then only add ip addresses to this record that you then maintain when something is moved or reconfigured. This would reduce the number of DNS queries from 8 to 1.

We are depended on our SPF, Dkim and DMARC to be perfect to run our business and we are therefore reconfiguring the service to send the mail directly through our Office 365 tenant so we can remove the records.

This can be a solution for other customers that have the same problem.

23 replies

L
Rank
Badge

Nothing, there is nothing to do. You need these SPF records to use the system that way and we can’t remove our own as we need them to send email from other systems.

 

so as i said, i’m avoiding the whole problem by changing the way i use Freshdesk. That might not be for everyone.

 

Freshdesk is taking up 80% of peoples SPF record. That’s way to much when it could be 10 or 20%

DaveL
Rank

We're also having issues using SPF because of Freshdesk is taking up 80% of the record.

Now we've moved to an Office365 integration to avoid needing Freshdesk's SPF. Unfortunately we're running into other issues with a Message ID header being too long and e-mail is being marked as spam instantly by Cloudmark's software…

B
Rank
Badge

I believe that the new DKIM setup that was implemented can possibly solve this now.  When you go into the DKIM Settings (under Email Settings → Advanced Settings), one of the CNAMEs it asks you to create is “fwdkim1.<yourdomain>”.  When sending an email from your domain through the Freshdesk mail server, it uses that as the server address, so when checking the SPF it does a lookup of the TXT record on this CNAME, rather than on your root domain.  As a result of all this, you no longer need to have the Freshdesk domains in your root domain’s SPF record at all anymore, since it will use this CNAME instead.

This is alluded to in the Solution article here that mentions it has “SPF check within the DKIM records”:

https://support.freshdesk.com/support/solutions/articles/223779-email-domain-verification-using-dkim-records

I’ve implemented it this way on our domains and they are all passing SPF when sent through Freshdesk, although I made no changes to the root domain’s SPF record.

Keer
Rank
Userlevel 5
Badge +12

Hello @brian_c, our apologies for the delay in helping you in this thread. I am glad you were able to set up DKIM which is helping in solving this issue. However, for SPF records, instead of adding email.freshdesk.com, you can include sendgrid.net and any one of the region specific records that suits your account settings. 

SPF records

US - fdspfus.freshemail.io

EU - fdspfeuc.freshemail.io

AUS - fdspfaus.freshemail.io

INDIA - fdspfind.freshemail.io

 

I hope this helps in tackling the number of lookups made. We’ll certainly pass the feedback to our engineering team to see how we can optimise it better. Thanks for elaborating how DKIM covers SPF look up as well in your reply. 

 

Have a good day! 

Cheers, Keer, Freshworks Community Team
M
Rank

This cuts the number of lookups to 4, if I’m not mistaken, because within each of those addresses (sendgrid.net and fdspfus.freshemail.io in my case) is yet another include (ab.sendgrid.net and fdspfus2.freshemail.io respectively).  Still too many - now freshdesk takes up almost half of the SPF instead of almost all… so an improvement but still not really acceptable the way things work today.

MobilityRoute
Rank

This cuts the number of lookups to 4, if I’m not mistaken, because within each of those addresses (sendgrid.net and fdspfus.freshemail.io in my case) is yet another include (ab.sendgrid.net and fdspfus2.freshemail.io respectively).  Still too many - now freshdesk takes up almost half of the SPF instead of almost all… so an improvement but still not really acceptable the way things work today.

 

 

Couldn’t agree more. Freshworks really needs to address this. We’re likely looking to switch from Freshsales for this among other reasons. We really want to use a bunch of the Freshworks suite of products, but it’s these type of backend oversights and poor implementation that break things, especially when security and reliable systems is critical. Email reputation is critical, so SPF, DKIM, and DMARC are absolutely necessary.

GlitchNZ
Rank

+1

This is a major problem for us - we need space in our SPF for other tools and FreshDesk having so many records is making it impossible for me to enable dmarc, which creates security risks for our organization.

Given they have been aware of this for four months and have done nothing, we have no option but to move to another service provider.

A note for Freshdesk - every other service provider using email I have come across has at most 2 DNS lookups - and some of them have way more complicated requirements than you. You’re argument that you need to have 8 is simply invalid and will undoubtedly cost you customers. Perhaps you should look at a delegation tool as a short term solution?

Juliana Rozario
Rank
Userlevel 3
Badge +4

Hello @GlitchNZ, Good day:) I hope you are well!

Apologise for the delay in getting back to you. As mentioned earlier in the thread, you can add instead of adding email.freshdesk.com, you can include any one of the region-specific records that suit your account settings. 

SPF records

US - fdspfus.freshemail.io

EU - fdspfeuc.freshemail.io

AUS - fdspfaus.freshemail.io

INDIA - fdspfind.freshemail.io

Kindly have this checked and if you have any issues in setting up the SPF records feel free to DM us your queries I'd be happy to take this forward.

Cheers!!

Juliana Rozario
Jason-UK
Rank

Hi

I might be a bit late adding my input, but here goes:-

You can flatten it further by creating another couple of txt records and having them as includes in your first SPF record here’s what we used (without the rest of our includes):

yourdomain.com     

"v=spf1 include:_spffreshdesk.yourdomain.com include:_spffreshdesk2.yourdomain.com ~all"  

_spffreshdesk.yourdomain.com
"v=spf1 ip4:167.89.0.0/17 ip4:208.117.48.0/20 ip4:50.31.32.0/19 ip4:198.37.144.0/20 ip4:198.21.0.0/21 ip4:192.254.112.0/20 ip4:168.245.0.0/17 ip4:149.72.0.0/16 ip4:159.183.0.0/16 ip4:223.165.113.0/24 ip4:223.165.115.0/24 ip4:223.165.118.0/23 ~all"

_spffreshdesk2.yourdomain.com
"v=spf1 ip4:223.165.120.0/23 ip4:3.222.0.24/29 ip4:198.21.4.52 ip4:167.89.31.27 ip4:167.89.127.244 ip4:3.120.181.200/29 ip4:3.7.25.40/29 ip4:13.127.153.86 ip4:52.66.154.99 ip4:13.127.210.61 ip4:3.25.47.0/29 ~all"

But now we’re moving over to Mimecast’s managed SPF which works dynamically, so no more SPF worries I guess

Best regards

 

 

Freshman
Rank

Hello @brian_c, our apologies for the delay in helping you in this thread. I am glad you were able to set up DKIM which is helping in solving this issue. However, for SPF records, instead of adding email.freshdesk.com, you can include sendgrid.net and any one of the region specific records that suits your account settings. 

SPF records

US - fdspfus.freshemail.io

EU - fdspfeuc.freshemail.io

AUS - fdspfaus.freshemail.io

INDIA - fdspfind.freshemail.io

 

I hope this helps in tackling the number of lookups made. We’ll certainly pass the feedback to our engineering team to see how we can optimise it better. Thanks for elaborating how DKIM covers SPF look up as well in your reply. 

 

Have a good day! 

this works for our customer 

Gez
Rank

Hey there, could I suggest adding this region specific trick to your primary SPF article:

https://support.freshdesk.com/en/support/solutions/articles/43170-creating-an-spf-record-to-ensure-proper-email-delivery

It seems like a good work around - though I’m waiting to confirm our emails still pass SPF checks.

GlitchNZ
Rank

Work arounds are a great temporary solution to a problem, but when it comes to security, it is important the underlying issue is actually solved.

Freshworks needs to understand that their current approach to SPF is wrong, and they need to fix it. Nothing in this thread suggests they have any intention of doing so, which is why I have had to move to another provider.

It’s not just wrong in that workarounds are needed to make it work, its wrong because Freshworks  is being a bad internet citizen by forcing customers to disable security or use workarounds instead of providing a working solution that encourages good security practice.

I would much prefer to use Freshdesk, so when they do get around to having a product that meets minimum security requirements, I hope they do call me back and we can get back to working together again.

Until then, my best advise to other Freshworks customers who care about security is to use something else.

DavidA
Rank

Guess I found the source of our companies SPF issues. Currently running both fresh desk and fresh service which makes 16 lookups. Hopefully something can be done here.

C
Rank

+1

I’m an mail security professional and this is a serious problem that Freshworks needs to start taking seriously. This SPF config is bad practice and exemplifies both bad attitude and a lack of email security knowledge. 

SWY
Rank

Yes to all of this.

SPF records are a limited resource.  My records for M365 delivery are primary and non-negotiable.

Freshworks is doing the SPF version of manspreading on the subway.  Not cool.

P
Rank

@Freshworks I used the hint to `include fdspfus.freshemail.io`  and that reduced the total SPF lookups to less than 10.

But evaluating the email header from emails sent via Freshdesk, it fails DKIM verification.  Specifically,  looks like Freshworks is returning an extra dot at the end of the hostname:  “mail-usn65.freshemail.io.” instead of “mail-usn65.freshemail.io”

 

1. entry (2. line): from mail-usn65.freshemail.io (mail-usn65.freshemail.io. [44.192.35.64]) by mx.google.com with ESMTPS id p20-20020a05622a13d400b003b9e7368d3csi8936549qtk.780.2023.02.28.12.55.09 for <xxxxxxxx@xxx.com> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 28 Feb 2023 12:55:09 -0800 (PST)
Sender (from): mail-usn65.freshemail.io
Sender hostname: mail-usn65.freshemail.io.
Warning: The sender (mail-usn65.freshemail.io) and the hostname (mail-usn65.freshemail.io.) determined by the mail server are different.
Warning: The hostname of the sender is invalid (mail-usn65.freshemail.io.).
Warning: The sender's hostname (mail-usn65.freshemail.io.) is not identical to the hostname determined from the sender's IP address (mail-usn65.freshemail.io).
JTAVOLARO
Rank
Userlevel 4
Badge +8

I’m amazed that this SPF issue is still not resolved.

Freshworks, what is the plan to fix this problem?

BradS
Rank
Badge

We are a freshdesk, freshsales, freshmarketer customer since 2016 and we know how painful their spf (and other Enterprise software) records are to manage. So we created https://www.autospf.com - it will help solve your problems with vendors who have long SPF records. 

A
Rank
Badge +1

Hi there,

I understand your concern about the size and validity of your SPF record due to the use of Freshdesk's email sending service. It's frustrating to see that adding Freshdesk's email domain has caused your record to exceed the maximum allowed DNS queries.

It's important for suppliers to maintain small and efficient SPF records, especially those that are widely used by customers. One solution you mentioned is to create a base SPF record with only IP addresses that you control and maintain. This can greatly reduce the number of DNS queries and help ensure the validity of your record.

However, I can also see that you have taken the decision to reconfigure your email sending to go directly through your Office 365 tenant to avoid this issue altogether. This is a wise decision, especially since your SPF, DKIM, and DMARC records are critical for your business operations.

I appreciate you bringing attention to this issue and sharing your solution with others who may be facing the same problem. Hopefully, this will encourage suppliers like Freshdesk to improve their SPF practices and help ensure their dear lottery 1 pm result yesterday systems are functioning optimally.

Best regards, [kyleejenner009]

 

thebangaloredhaba
Rank

If you attempt to create an SPF or TXT record with a long string (>255 characters) in it, BIND will give an error (e.g. "invalid data format: ran out of space".) Strings in SPF and TXT records should be no longer than 255 characters.

A
Rank
Badge +1

Hi there,

I understand your concern about the size and validity of your SPF record due to the use of Freshdesk's email sending service. It's frustrating to see that adding Freshdesk's email domain has caused your record to exceed the maximum allowed DNS queries.

It's important for suppliers to maintain small and efficient SPF records, especially those that are widely used by customers. One solution you mentioned is to create a base SPF record with only IP addresses that you control and maintain. This can greatly reduce the number of DNS queries and help ensure the validity of your record.

However, I can also see that you have taken the decision to reconfigure your email sending to go directly through your Office 365 tenant to avoid this issue altogether. This is a wise decision, especially since your SPF, DKIM, and DMARC records are critical for your business operations.

I appreciate you bringing attention to this issue and sharing your solution with others who may be facing the same problem. Hopefully, this will encourage suppliers like Freshdesk to improve their SPF practices and help ensure their https://islampdf.com/surah-yaseen-pdf/ systems are functioning optimally.

Best regards, [kyleejenner009]

 

garagedoorhig
Rank

Hi there,

I understand your concern about the size and validity of your SPF record due to the use of Freshdesk's email sending service. It's frustrating to see that adding Freshdesk's email domain has caused your record to exceed the maximum allowed DNS queries.

It's important for suppliers to maintain small and efficient SPF records, especially those that are widely used by customers. One solution you mentioned is to create a base SPF record with only IP addresses that you control and maintain. This can greatly reduce the number of DNS queries and help ensure the validity of your record.

However, I can also see that you have taken the decision to reconfigure your email sending to go directly through your Office 365 tenant to avoid this issue altogether. This is a wise decision, especially since your SPF, DKIM, and DMARC records are critical for your business operations.

I appreciate you bringing attention to this issue and sharing your solution with others who may be facing the same problem. Hopefully, this will encourage suppliers like Freshdesk to improve their SPF practices and help ensure their dear lottery 1 pm result yesterday systems are functioning optimally.

Best regards, [kyleejenner009]

 

buynblue

garagedoorhig
Rank

Hi there,

I understand your concern about the size and validity of your SPF record due to the use of Freshdesk's email sending service. It's frustrating to see that adding Freshdesk's email domain has caused your record to exceed the maximum allowed DNS queries.

It's important for suppliers to maintain small and efficient SPF records, especially those that are widely used by customers. One solution you mentioned is to create a base SPF record with only IP addresses that you control and maintain. This can greatly reduce the number of DNS queries and help ensure the validity of your record.

However, I can also see that you have taken the decision to reconfigure your email sending to go directly through your Office 365 tenant to avoid this issue altogether. This is a wise decision, especially since your SPF, DKIM, and DMARC records are critical for your business operations.

I appreciate you bringing attention to this issue and sharing your solution with others who may be facing the same problem. Hopefully, this will encourage suppliers like Freshdesk to improve their SPF practices and help ensure their dear lottery 1 pm result yesterday systems are functioning optimally.

Best regards, [kyleejenner009]

 

buynblue

 

Reply


Terms of UseCookie settings