Freshdesk very long SPF record is a problem

2 years ago
10 January 2022
32 replies
6812 views

Userlevel 1

Lars Skjønberg
Apprentice
1 reply

Hi, we are using Freshdesk support desk and until now Freshdesk has been sending email’s on our behalf. This means that we have to add email.freshdesk.com to our SPF record. This means that Freshdesk alone adds 8 DNS queries to our SPF record and the standard allows for only 10 in total.

For comparison Microsoft adds two for the whole of Office 365.

Now, what i have feared has happened and we have passed the limit and our SPF record is not valid anymore. I don’t know if we added the one or if Freshdesk added another sub record.

There is really two problems, one is the size of the record to begin with and the other is that Freshdesk can add subrecords at anytime without any of their customers knowing and pushing that client over the limit.

I think therefore it is very important for suppliers that have SPF that is used by alot of customers to be very small and maintained correct.

One solution is to create your SPF record and then only add ip addresses to this record that you then maintain when something is moved or reconfigured. This would reduce the number of DNS queries from 8 to 1.

We are depended on our SPF, Dkim and DMARC to be perfect to run our business and we are therefore reconfiguring the service to send the mail directly through our Office 365 tenant so we can remove the records.

This can be a solution for other customers that have the same problem.

Show first post Hide first post

32 replies

Page 2 / 2

GlitchNZ
Community Debut
2 replies
1 year ago
10 June 2022

This is a major problem for us - we need space in our SPF for other tools and FreshDesk having so many records is making it impossible for me to enable dmarc, which creates security risks for our organization.

Given they have been aware of this for four months and have done nothing, we have no option but to move to another service provider.

A note for Freshdesk - every other service provider using email I have come across has at most 2 DNS lookups - and some of them have way more complicated requirements than you. You’re argument that you need to have 8 is simply invalid and will undoubtedly cost you customers. Perhaps you should look at a delegation tool as a short term solution?

MobilityRoute
Community Debut
3 replies
1 year ago
6 June 2022

This cuts the number of lookups to 4, if I’m not mistaken, because within each of those addresses (sendgrid.net and fdspfus.freshemail.io in my case) is yet another include (ab.sendgrid.net and fdspfus2.freshemail.io respectively). Still too many - now freshdesk takes up almost half of the SPF instead of almost all… so an improvement but still not really acceptable the way things work today.

Couldn’t agree more. Freshworks really needs to address this. We’re likely looking to switch from Freshsales for this among other reasons. We really want to use a bunch of the Freshworks suite of products, but it’s these type of backend oversights and poor implementation that break things, especially when security and reliable systems is critical. Email reputation is critical, so SPF, DKIM, and DMARC are absolutely necessary.

Marc Bower
Community Debut
1 reply
2 years ago
25 April 2022

Userlevel 5

+12

Keer
Community Debut
413 replies
2 years ago
1 February 2022

Hello @brian_c, our apologies for the delay in helping you in this thread. I am glad you were able to set up DKIM which is helping in solving this issue. However, for SPF records, instead of adding email.freshdesk.com, you can include sendgrid.net and any one of the region specific records that suits your account settings.

US - fdspfus.freshemail.io

EU - fdspfeuc.freshemail.io

AUS - fdspfaus.freshemail.io

INDIA - fdspfind.freshemail.io

I hope this helps in tackling the number of lookups made. We’ll certainly pass the feedback to our engineering team to see how we can optimise it better. Thanks for elaborating how DKIM covers SPF look up as well in your reply.

Have a good day!

brian_c
Community Debut
2 replies
2 years ago
29 January 2022

I believe that the new DKIM setup that was implemented can possibly solve this now. When you go into the DKIM Settings (under Email Settings → Advanced Settings), one of the CNAMEs it asks you to create is “fwdkim1.<yourdomain>”. When sending an email from your domain through the Freshdesk mail server, it uses that as the server address, so when checking the SPF it does a lookup of the TXT record on this CNAME, rather than on your root domain. As a result of all this, you no longer need to have the Freshdesk domains in your root domain’s SPF record at all anymore, since it will use this CNAME instead.

This is alluded to in the Solution article here that mentions it has “SPF check within the DKIM records”:

https://support.freshdesk.com/support/solutions/articles/223779-email-domain-verification-using-dkim-records

I’ve implemented it this way on our domains and they are all passing SPF when sent through Freshdesk, although I made no changes to the root domain’s SPF record.

DaveL
Community Debut
1 reply
2 years ago
24 January 2022

We're also having issues using SPF because of Freshdesk is taking up 80% of the record.

Now we've moved to an Office365 integration to avoid needing Freshdesk's SPF. Unfortunately we're running into other issues with a Message ID header being too long and e-mail is being marked as spam instantly by Cloudmark's software…

Userlevel 1

Lars Skjønberg
Author
Apprentice
1 reply
2 years ago
10 January 2022

Nothing, there is nothing to do. You need these SPF records to use the system that way and we can’t remove our own as we need them to send email from other systems.

so as i said, i’m avoiding the whole problem by changing the way i use Freshdesk. That might not be for everyone.

Freshdesk is taking up 80% of peoples SPF record. That’s way to much when it could be 10 or 20%

Page 2 / 2

Reply

Join the Community

Social Login

Sign in to the Community

Social Login

Scanning file for viruses.

This file cannot be downloaded