How To Create SPF Records To Avoid SPF Lookup Limit Errors?
Sender Policy Framework (SPF) specification comes with a limit of only 10 DNS SPF lookups per SPF record. If you are a domain owner and planning to add an SPF record to the DNS database, ensure that this limit is not exceeded, or else your SPF record check will fail.
Reasons For Exceeding The SPF Lookup Limit
One of the significant reasons that SPF records face SPF lookup failure issues is that many easily forget about the DNS lookup limit. Every DNS lookup entry in your SPF record is an added burden to the mail server.
Hence, the more the DNS lookup entries, the greater are the resources used by the Mail Transfer Agents (MTA). So, the limit enforced upon the SPF records will reduce the burden on these servers. Using multiple SPF records will also lead to SPF too many DNS lookups issues.
While people test and validate their SPF records for syntax errors and typos, fail to check the logs for the SPF lookup counter. Every mechanism included in the SPF record like a, MX, include, ptr, exists, and redirect will be considered as a single DNS lookup entry.
The Problem With Unnecessary Include Statements
An include statement is added in the SPF record to tell the mail transfer agent to check the SPF record of another domain and get the list of the IPs allowed.
Every include statement included in the record is considered a single DNS lookup entry. Your SPF record is valid until you have a maximum of 10 DNS lookup entries.
Only when the count exceeds the limit, permerror SPF permanent error too many DNS lookups occur. Once you have an SPF lookup error, then either the email is returned, or the list of authorized IPs is not retrieved.
Hence, there is every chance that hackers and adversaries can use your domain to send fraudulent emails.
Steps to Avoid SPF lookup failure
- To avoid DNS lookup errors, check and validate your SPF records frequently. There are online tools that provide the DNS lookup count instantly.
- Also, check for unwanted IP addresses that have not been in use for a long time and remove it. If needed, you can use subdomains or SPF flattening or enable SPF compression and quickly resolve your SPF too many DNS lookups problems.
- Domain Experts advise not to use the ptr mechanism in your SPF records as it increases your DNS lookup count and exceeds the limit.
- You can instead make use of the ip4 or ip6 mechanism in your SPF records. While the ptr mechanism is used for resolving a single IP address to a domain name, with ip4, you can include a static IP range in your SPF records.
To conclude, you cannot create multiple SPF records for your domain name. If you wish to add more sources, you need to update the current record or create a new SPF record with multiple entries. But one thing to remember is not to exceed the SPF lookup limit.
Join the thousands of organizations that use DuoCircle
Find out how affordable it is for your organization today and be pleasantly surprised.