amazon.com multiple SPF records

Brad_Barnett1 · June 5, 2021, 11:59am

If anyone at Amazon is paying attention, you have duplicate spf1 records
for amazon.com:

# dig -t TXT amazon.com | grep spf
amazon.com. 281 IN TXT "spf2.0/pra include:spf1.amazon.com include:spf2.amazon.com include:amazonses.com -all"
amazon.com. 281 IN TXT "v=spf1 include: amazon.com include:spf1.amazon.com include:spf2.amazon.com include:amazonses.com -all"
amazon.com. 281 IN TXT "v=spf1 include:spf1.amazon.com include:spf2.amazon.com include:amazonses.com -all"

It's causing mail deliverability issues, so users cannot reset their
password, or even get OTP codes reliably.

(I don't know where else to post, as whois/arin contacts aren't
responding, and I can't even imagine trying to go through other methods
of support...)

Josh_Luthman · June 7, 2021, 2:32pm

Not on my servers, but I clearly just did a lookup.

C:\Users\jluthman>dig -t TXT amazon.com|findstr spf
amazon.com. 900 IN TXT “spf2.0/pra include:spf1.amazon.com include:spf2.amazon.com include:amazonses.com -all”
amazon.com. 900 IN TXT “v=spf1 include:spf1.amazon.com include:spf2.amazon.com include:amazonses.com -all”

_Stephane_Bortzmeyer · June 7, 2021, 2:34pm

a message of 15 lines which said:

If anyone at Amazon is paying attention, you have duplicate spf1 records
for amazon.com:

If so, it is now gone. Not one RIPE Atlas probe see this duplication:

% blaeu-resolve -r 100 --ednssize 4096 --type TXT amazon.com
["facebook-domain-verification=d9u57u52gylohx845ogo1axzpywpmq"
"google-site-verification=14wgw2mdnmxchg8plinf7lgqqe0owwhqoq0hkhb7rdq"
"ms=4b600b22799eb2cac0d8ff0a3a3caeca5ee2bf3a"
"pardot326621=b26a7b44d7c73d119ef9dfd1a24d93c77d583ac50ba4ecedd899a9134734403b"
"spf2.0/pra include:spf1.amazon.com include:spf2.amazon.com
include:amazonses.co "v=spf1 include:spf1.amazon.com
include:spf2.amazon.com include:amazonses.com -a
"wrike-verification=mzi3nzm2odo2ndk5mje4njq2mwjmotewmgmxm2mznzjmnwjly2u5zdu4mmvl]
: 95 occurrences
[ (TRUNCATED - EDNS buffer size was 4096 ) ] : 1 occurrences
Test #30676407 done at 2021-06-07T14:31:16Z

Alec_H_Peterson · June 7, 2021, 2:35pm

Hmm, are you sure?

[ec2-user@ip-10-0-0-50 ~] dig [amazon.com](http://amazon.com) txt +short|grep spf "v=spf1 include:[spf1.amazon.com](http://spf1.amazon.com) include:[spf2.amazon.com](http://spf2.amazon.com) include:[amazonses.com](http://amazonses.com) -all" "spf2.0/pra include:[spf1.amazon.com](http://spf1.amazon.com) include:[spf2.amazon.com](http://spf2.amazon.com) include:[amazonses.com](http://amazonses.com) -all" [ec2-user@ip-10-0-0-50 ~]

Mailman · June 7, 2021, 5:17pm

What is spf2.0/pra ?

Is this new?

Jean

Bjorn_Mork · June 7, 2021, 5:31pm

Jean St-Laurent via NANOG <nanog@nanog.org> writes:

What is spf2.0/pra ?

https://datatracker.ietf.org/doc/html/rfc4406

It doesn't say April 1st, but it is pretty close....

Bjørn

Matt_Vernhout · June 7, 2021, 6:06pm

This is the old (now widely abandoned/depreciated) Sender ID standard.

Mailman · June 7, 2021, 5:25pm

SPF 2.0 was used to designate a SenderID policy. It was experimental and never saw widespread adoption.

Mailman · June 7, 2021, 6:20pm

Thanks for the update.

Is amazon publishing that old techno since long time or it just appeared recently?

I don’t recall seeing that with amazon-ses.com.

Jean