For quite a while, there’s been a problem sending emails “as your firm” via QuickBooks. If you have an SPF record set up for your domain, you have to define sending information there to allow third-parties to send mail as your domain. Intuit provides an SPF record entry to use, so your record might look something like this if you use Office365:
“v=spf1 include:spf.protection.outlook.com include:intuit.com -all”
The problem is that each include sends the receiving server to look up all the entries in each referenced record, and there’s a limit on how many entries can be in a lookup. It’s 10. And the Intuit record, for years now, has had more than 10 records in their SPF record. So if you have the record formatted like the one above, which is what Intuit recommends, you will have messages bounced when sending invoices to customers for Quickbooks Online, among other things.
To resolve this, I checked the header of the invoicing messages that were being bounced. I noticed that invoices get sent out from this server: e.notification.intuit.com.
I then did an NSLookup query to see if there is an SPF record just for that address. There is!
C:\Users\David>nslookup
Default Server: dns.google
Address: 8.8.8.8set q=TXT
e.notification.intuit.com
Non-authoritative answer:
e.notification.intuit.com canonical name = u1916451.wl202.sendgrid.net
u1916451.wl202.sendgrid.net text =
"v=spf1 ip4:167.89.58.138 ip4:167.89.58.229 ip4:167.89.82.160 ip4:167.89.82.233 -all"So we see that there’s a simpler SPF record for e.notification.intuit.com that only contains four IP addresses. That means that for your own SPF record, the one we referenced above, we can do something like this:
“v=spf1 include:spf.protection.outlook.com include:e.notification.intuit.com -all”
Or this, if that doesn’t work properly:
“v=spf1 include:spf.protection.outlook.com ip4:167.89.58.138 ip4:167.89.58.229 ip4:167.89.82.160 ip4:167.89.82.233 -all”
The former would be more elegant, and less brittle if Intuit changes something on their end. The only thing that might break this is if Intuit stops sending from e.notification.inuit.com on outbound messages.
All we do is support IT professionals. Help for IT Pros, Super Secret News, Security community, MSP Legislation community, Kits, papers, MSP training and more. https://www.thirdtier.net
4 thoughts on “SPF for sending mail from Intuit”
Thanks for this post Dave. Finding a simple, proper spf record for QB Online has been maddening. I’m going to try include:e.notification.intuit.com and was just curious if you are still having success with this simpler version or have you had to move to 4 IP’s?
Ben, I have had no problems with the simpler version, and I’d guess that would be a better practice.
Dear Mr. Shackelford,
This morning I rec’d a scamail from [allegedly Intuit] using this exact same SPF. The bogus invoice is for a bitcoin purchase amounting to $459. The scammer, surely a newbie, left the C and CC open, which showed me all the addresses the email was sent to that start with the letter “P”. Oh, and the name on the invoice? Dear Customer. My eyes were rolling so hard it was difficult to get them back to front and center. Yep, fun and games in scam e-world.
I am thinking there might a misunderstanding of the topic here. An SPF record if used correctly, can help prevent – a scammer from – falsely (or spoofing) email addresses using your domain(i.e. mailbox@YourDomain.com). If a business uses things like Quickbooks- online, they need to include the Quickbooks-online MTAs (mail servers) in their SPF records. Simplistically stating – authorizing those MTAs to send email for that domain.
It will not prevent a scammer signing up for a “free” account with Quickbooks and sending false invoices.