SPF for sending mail from Intuit

For quite a while, there’s been a problem sending emails “as your firm” via QuickBooks. If you have an SPF record set up for your domain, you have to define sending information there to allow third-parties to send mail as your domain. Intuit provides an SPF record entry to use, so your record might look something like this if you use Office365:

“v=spf1 include:spf.protection.outlook.com include:intuit.com -all”

The problem is that each include sends the receiving server to look up all the entries in each referenced record, and there’s a limit on how many entries can be in a lookup. It’s 10. And the Intuit record, for years now, has had more than 10 records in their SPF record. So if you have the record formatted like the one above, which is what Intuit recommends, you will have messages bounced when sending invoices to customers for Quickbooks Online, among other things.

To resolve this, I checked the header of the invoicing messages that were being bounced. I noticed that invoices get sent out from this server: e.notification.intuit.com.

I then did an NSLookup query to see if there is an SPF record just for that address. There is!

C:\Users\David>nslookup
Default Server: dns.google
Address: 8.8.8.8

set q=TXT
e.notification.intuit.com

Non-authoritative answer:
e.notification.intuit.com canonical name = u1916451.wl202.sendgrid.net
u1916451.wl202.sendgrid.net text =

    "v=spf1 ip4:167.89.58.138 ip4:167.89.58.229 ip4:167.89.82.160 ip4:167.89.82.233 -all"

So we see that there’s a simpler SPF record for e.notification.intuit.com that only contains four IP addresses. That means that for your own SPF record, the one we referenced above, we can do something like this:

“v=spf1 include:spf.protection.outlook.com include:e.notification.intuit.com -all”

Or this, if that doesn’t work properly:

“v=spf1 include:spf.protection.outlook.com ip4:167.89.58.138 ip4:167.89.58.229 ip4:167.89.82.160 ip4:167.89.82.233 -all”

The former would be more elegant, and less brittle if Intuit changes something on their end. The only thing that might break this is if Intuit stops sending from e.notification.inuit.com on outbound messages.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.