Zuora SPF record update

UPDATE: 2020-09-09 waiting to hear back from Zuora on proposed solution since adding more lookups will cause our record to timeout

an a record that contains the IP addresses to whitelist so that we can refer to it in our SPF record as an a record.

  • 69.169.238.174
  • 69.169.238.175
  • 69.169.238.176
  • 69.169.238.177
  • 69.169.238.178
  • 52.39.100.104
  • 52.37.233.34
  • 52.26.252.153
  • 54.71.138.87
  • 54.68.23.116
  • 52.89.135.4
  • 52.40.19.141
  • 52.35.247.230
  • 52.33.107.0
  • 35.155.216.3
  • 34.218.15.157

Details

SRE Support Needed

Zuora is our billing system which sends emails to customers about their subscriptions. currently, renewal emails are not being received/sent and we suspect this is related to the SPF record since they are now being sent by what's called a "workflow" in order to follow new business rules.

Screen_Shot_2020-09-04_at_12.05.20_PM

GitLab's SPF record looks to include some of Zuora's range of IP addresses but it needs to be updated as it doesn't look to include the ones from the workflow range.

I'm not sure why we include the range in _spf-ip.gitlab.com instead of using v=spf1 mx a:zgateway.zuora.com -all - perhaps the list includes additional applications' IP addresses?

Screen_Shot_2020-09-08_at_9.29.42_AM

proposed solution

I'd recommend using v=spf1 mx a:zgateway.zuora.com -all and replacing the zuora IP addresses in _spf-ip.gitlab.com with the mailchimp ones if we need the room since there are more Zuora IP addresses we need on the record than Mailchimp ones and there's only three Zuora ones currently included

Network_Tools__DNS_IP_Email_and_https___about_gitlab_com

mailchimp delivery IPs:

  • 205.201.128.0/20
  • 198.2.128.0/18
  • 148.105.0.0/16

cc @awestbrook @s_mccauley @ccnelson @mkarampalas @djparker

relates to: https://gitlab.com/gitlab-com/business-ops/team-member-enablement/issue-tracker/-/issues/721

Edited by Jamie Carey