Freshdesk very long SPF record is a problem

+1

I’m an mail security professional and this is a serious problem that Freshworks needs to start taking seriously. This SPF config is bad practice and exemplifies both bad attitude and a lack of email security knowledge. 

I’m amazed that this SPF issue is still not resolved.

Freshworks, what is the plan to fix this problem?

Hello @brian_c, our apologies for the delay in helping you in this thread. I am glad you were able to set up DKIM which is helping in solving this issue. However, for SPF records, instead of adding email.freshdesk.com, you can include sendgrid.net and any one of the region specific records that suits your account settings. 

US - fdspfus.freshemail.io

EU - fdspfeuc.freshemail.io

AUS - fdspfaus.freshemail.io

INDIA - fdspfind.freshemail.io

I hope this helps in tackling the number of lookups made. We’ll certainly pass the feedback to our engineering team to see how we can optimise it better. Thanks for elaborating how DKIM covers SPF look up as well in your reply. 

Have a good day! 

Hey there, could I suggest adding this region specific trick to your primary SPF article:

https://support.freshdesk.com/en/support/solutions/articles/43170-creating-an-spf-record-to-ensure-proper-email-delivery

It seems like a good work around - though I’m waiting to confirm our emails still pass SPF checks.

Work arounds are a great temporary solution to a problem, but when it comes to security, it is important the underlying issue is actually solved.

Freshworks needs to understand that their current approach to SPF is wrong, and they need to fix it. Nothing in this thread suggests they have any intention of doing so, which is why I have had to move to another provider.

It’s not just wrong in that workarounds are needed to make it work, its wrong because Freshworks  is being a bad internet citizen by forcing customers to disable security or use workarounds instead of providing a working solution that encourages good security practice.

I would much prefer to use Freshdesk, so when they do get around to having a product that meets minimum security requirements, I hope they do call me back and we can get back to working together again.

Until then, my best advise to other Freshworks customers who care about security is to use something else.

Hi there,

In anticipation of Google and Yahoo’s upcoming change to require DMARC on bulk senders, I’ve been reviewing my SPF records for Fresh Service and have confirmed that email.freshservice.com now commands an incredible 11 lookups - 10 nested lookups within the main DNS entry.

This means that Fresh Service lookups alone exceed the maximum allowed by SPF, which is quite remarkable.

I’m relieved to see that I’m not the only person who has highlighted this, and if I’m understanding the advice correctly, it seems that we only need to include one of the nested lookups - fdspfeuc.freshemail.io (EU). [source]

Can I confirm this is a solution, and not a work-around?

I’m also not clear on why, if this is acceptable, we were ever asked to include the other lookups in the first place?

Lastly, I can see that fdspfeuc.freshemail.io is not one of the nested lookups within email.freshservice.com. Is this not a problem?

Regards,

Robert

Just an additional note to say that I removed email.freshservice.com and added emailus.freshservice.com and this reduced the total number of lookups to 2, which is far more reasonable.

I believe fdspfeuc.freshemail.io is for Freshdesk, which is not the service we use - worth bearing this distinction in mind when troubleshooting your own environment.

Also, as we’re based in the UK we incorrectly assumed we would be part of the Fresh Service EU server farm; consulting with FS support, we were informed we’re hosted on US servers. This is also something you will have to check when trying to whittle down your lookups.

Another thing we were advised to do was include 3 DKIM records, and a 4th, which was described to me as relating to SPF. Now, anyone who knows how SPF works will tell you that’s not possible, as there can be only one SPF record for a domain, and unfortunately nobody from Fresh Service could sufficiently explain the syntax of the record to me. Despite having published it, I’m still unclear what it’s for or why it’s needed.

All in all, quite a needlessly challenging issue.

Robert

@Kajal Vats I’m not sure this issue is resolved yet for many of us - the “workaround” still consumes a minimum 4 lookups, which if you have other platforms that send on behalf of a domain quickly ends up past the 10 lookups limit.

Hi

I might be a bit late adding my input, but here goes:-

You can flatten it further by creating another couple of txt records and having them as includes in your first SPF record here’s what we used (without the rest of our includes):

yourdomain.com     

"v=spf1 include:_spffreshdesk.yourdomain.com include:_spffreshdesk2.yourdomain.com ~all"  

_spffreshdesk.yourdomain.com
"v=spf1 ip4:167.89.0.0/17 ip4:208.117.48.0/20 ip4:50.31.32.0/19 ip4:198.37.144.0/20 ip4:198.21.0.0/21 ip4:192.254.112.0/20 ip4:168.245.0.0/17 ip4:149.72.0.0/16 ip4:159.183.0.0/16 ip4:223.165.113.0/24 ip4:223.165.115.0/24 ip4:223.165.118.0/23 ~all"

_spffreshdesk2.yourdomain.com
"v=spf1 ip4:223.165.120.0/23 ip4:3.222.0.24/29 ip4:198.21.4.52 ip4:167.89.31.27 ip4:167.89.127.244 ip4:3.120.181.200/29 ip4:3.7.25.40/29 ip4:13.127.153.86 ip4:52.66.154.99 ip4:13.127.210.61 ip4:3.25.47.0/29 ~all"

But now we’re moving over to Mimecast’s managed SPF which works dynamically, so no more SPF worries I guess

Best regards

We’re battling this as well. Just three DNS entries over our limit after including “email.freshdesk.com”. Such an annoyance.

+1

This is a major problem for us - we need space in our SPF for other tools and FreshDesk having so many records is making it impossible for me to enable dmarc, which creates security risks for our organization.

Given they have been aware of this for four months and have done nothing, we have no option but to move to another service provider.

A note for Freshdesk - every other service provider using email I have come across has at most 2 DNS lookups - and some of them have way more complicated requirements than you. You’re argument that you need to have 8 is simply invalid and will undoubtedly cost you customers. Perhaps you should look at a delegation tool as a short term solution?

Hello @Ant-TTG - thank you for flagging this and i’m sorry for the inconvenience. I have passed this on to my team, please let me get back to you

I am also affected by this issue and I must say it's such a big mess. Especially if you are not expert in this field you have no chance to solve this issue. I also dont want to spend 370$ for a SPF flattener.  It's incredible that Frehsdesk has no solution to this. We have a lot of issue with Emails going to spam from Freshdesk. They are doing an incredible bad job here in documentation as well.