“SPF Too Many DNS Lookups” Error – What It Means And How To Resolve The Issue
Let us understand the concept of error and see how to resolve such issues.
A domain must not have multiple SPF records or the SPF fails with a PermError. Similarly, If you are concerned that your emails do not get delivered, the problem could lie in the SPF validation. During the investigation, it could throw up the reason, “Permerror SPF permanent error too many DNS lookups.” It is a standard error encountered in SPF implementations. Exceeding the 10 DNS lookup SPF limit can affect email deliverability. This article discusses what exceeding the 10 DNS limit means, its consequences, and how to validate the SPF record to prevent the “SPF too many DNS lookups” error.
What Is “SPF Too Many DNS Lookups”?
SPF specification has fixed a limit on the number of DNS lookups to resolve an SPF record. The RFC Specification Document RFC7208 specifies that the number of mechanisms and modifiers that do DNS lookups should not exceed 10 per SPF check. Generally, the reckless use of the “include” or the “redirect” modifier in an SPF record can result in the DNS lookups going over the 10-limit, thereby causing email deliverability issues. Exceeding the limit can return the error “permerror SPF permanent error too many DNS lookups.”
The Need For The SPF DNS Lookup Limit
What is the need to have such a seemingly artificial limit? The answer is that the 10-DNS lookup limit is necessary to thwart threats such as a DDoS attack. The below example should clarify the point.
- A malicious actor creates an SPF record on a specific domain “virusfound.com” with numerous references to another domain, “target.com.”
- Using the “virusfound.com” domain, they send many emails to mailboxes hosted by various email service providers (ESP) with SPF implemented.
- The ESP queries DNS for “target.com” on receiving such emails.
- As it involves numerous ESPs, it amplifies the traffic and becomes a DoS attack at “target.com.”
The crucial aspect of the entire chain of transactions is that the attack’s real source remains hidden. Thus, you can see how a malicious threat actor exploits the email authentication mechanism. Hence, fixing up a limit on the maximum number of DNS lookups per check on the ESP side mitigates the risk. By keeping the limit at 10 DNS lookups, the amplification is limited to 10, thus preventing a DDoS attack.
What Is SPF Validation?
The SPF validation process provides information about the SPF setup on your domain. It aims at ensuring that the SPF record is free from errors. The SPF validation tool can show the number of DNS-querying mechanisms. Thus, an SPF validation check can help check the DNS lookup count.
What Will Happen If The SPF DNS Lookup Limit Is Exceeded?
If the SPF implementation on the receiving email servers finds more than 10 DNS querying modifiers in the sender’s domain SPF, it returns SPF permerror “too many DNS lookups.” As a result, the sent email might not reach the inbox.
ESPs like Gmail send unauthenticated emails to the spam folder, whereas Microsoft Office 365 blocks such sender domains automatically if they fail SPF authentication.
How Do You Deal With The “SPF Too Many DNS Lookups” Error?
One of the best solutions to deal with this issue is “SPF record flattening.” Flattening an SPF record can reduce the number of DNS-querying mechanisms to one. Let us see how SPF record flattening works.
- Query the DNS for the IP address for each DNS-querying modifier.
- Replace the original modifier with the IP address.
- For each such replacement, the total DNS lookup count decreases by 1.
- After replacing all the mechanisms/modifiers, the total DNS lookup count becomes 1.
Thus, it is possible to turn a complicated SPF record containing more than 10 DNS-querying modifiers into a “flat IP address.”
Does the Flattening Exercise Resolve The Problem Completely?
The flattening technique may not be reliable at all times. That’s because if the IP addresses underlying one of the “include” mechanisms are changed, it can result in the flattened SPF record to go out of sync on those IP addresses. Thus, it will produce incorrect results in the SPF authentication. It can be addressed using ip4 and ip6 mechanisms in the record, as discussed in the next section.
Use ip4 And ip6 Mechanisms
Replacing the “include” statement with ip4 or ip6 mechanisms can reduce the number of DNS lookups drastically. The ip4 and ip6 mechanisms are utilized to list a static IP range in the SPF record. It helps do away with an “include” statement to reference another domain’s SPF record.
More Ways To Prevent SPF Too Many DNS Lookups Error
Besides the flattening method, here are some other solutions to reduce SPF too many DNS lookups error, as listed below.
Remove all mechanisms resolving to the same domain.
Removing mechanisms from your SPF record that links to the same domain can avoid unnecessary DNS lookups.
Avoiding ptr mechanisms
A ptr mechanism is a DNS record used for linking an IP address to a hostname or domain. SPF specifications recommend not using the ptr mechanism in the SPF record. Using the ptr mechanism can result in multiple DNS lookups, which causes reaching the limit quickly.
Remove vendor domains and legacy partners
It is advisable to remove “include” statements that redirect SPF checks to those who no longer send emails on your behalf. It can reduce DNS lookups.
However, the “include” statements could be necessary to redirect SPF checks to the SPF records of vendors/partners that keep changing their IP addresses frequently. The “include” statement ensures that the sender does not need to update the changing IP addresses in their SPF records.
Reference actively sending domains only
If the domains you reference links to inactive SPF records, it is better to remove them to reduce DNS lookups.
Every business entity should use proper SPF validation tools to look out for discrepancies that could affect email deliverability. We have just seen how an SPF permerror can affect email deliverability. Following the tips mentioned in the discussion can reduce occurrences of ‘SPF too many DNS lookups’ instances, thus facilitating successful email delivery.
Join the thousands of organizations that use DuoCircle
Find out how affordable it is for your organization today and be pleasantly surprised.