Using SPF Flattening to Avoid SPF PermError – SPF too many DNS lookups
Understand more about SPF PermError and how to fix it.
What is Permerror?
The verification results of the Sender Policy Framework authentication must be returned to the sending Mail Transfer Agent (MTA) while undergoing SMTP conversion. Organizations can check the verification results, but it must be remembered that not all mailbox providers deploy SPF authentication.
PermError means that the mailbox provider could not verify the published SPF record. It usually happens because of a format or syntax error in the sender domain’s SPF record. When an SPF check returns the “SPF PermError: too many DNS lookups” error, the DMARC treats it as a fail because it is a permanent error. The DMARC interprets all permanent errors as failures. To ensure they do not get the error, users must set up their SPF record correctly, without any unrecognizable characters or extra spaces in the DNS TXT record.
Why Do Users get the PermError: “too many DNS lookups”?
Following are the reasons why users may get the “SPF PermError: too many DNS lookups” error:
- Every SPF record has an inbuilt limitation of 10 DNS lookups. When users add a new mechanism to their record, they need a new lookup. The mechanisms are used for adding new IP addresses.
- Since most enterprises have third-party vendors who send emails on behalf of their domain, they need to authorize more IP addresses. The greater the number of IPs to authorize, the higher is the number of required mechanisms.
- Once the SPF record breaches the 10 DNS lookup limitation, the domain owner will receive a ‘PermError’ result. It means that the receiving mailbox will automatically block the SPF record because it considers it invalid.
Why The 10 DNS Lookup Limit?
You might be thinking as to why there is an arbitrary 10 DNS lookup limit? The answer is that this limit is used to thwart any Denial-of-Service (DoS) attacks. It will be more clear from the following example:
- A malicious actor creates an SPF record on the example.com domain and provides references to the domain user.com.
- He sends many emails from the domain example.com to various email service providers (ESPs) hosting mailboxes with SPF implemented.
- The ESP will query the DNS for user.com upon receiving the emails.
- The traffic gets amplified since there is more than one ESPs involved. Thus, it results in a DOS attack on user.com.
- The critical point to note here is that the source of the attack remains hidden.
As evident from the above example, the malicious actors can exploit the SPF mechanism to carry out DOS attacks on unsuspecting users. Since it can have severe consequences, the simple solution for this problem is limiting the number of DNS lookups per check. Hence the email service providers can thwart the attacks because of the amplification limit of 10.
The Solution: SPF Flattening
So, what is the solution to the PermError? It is called SPF flattening. Users can reduce the DNS querying mechanisms down to 1 by flattening the SPF record. Given below is the working of SPF record flattening:
- Users need to get the IP addresses for all the DNS querying mechanisms by querying the DNS.
- Then they need to replace the original mechanism with the IP address.
- Each time they replace a modifier, the SPF mechanism decrements the total count by 1.
- After replacing all the mechanisms, the total count comes down to 1, where the DNS query is required only for the topmost SPF record.
This technique can help users transform a complex SPF record into a flat IP address list and stay in the “safe zone”.
Manual Flattening Vs. Automatic Flattening
While manual flattening is a robust solution to remove the PermError, it becomes useless when the ESPs start changing or adding to their IP addresses without telling the domain owner. Thus, the SPF record becomes inaccurate, leading to email delivery problems. Hence, it is a prudent choice to monitor the changes induced by email service providers continually.
There is another better solution – automatic SPF flattening. It helps domain owners update their SPF records automatically. There are service providers that help organizations in flattening their SPF records, saving their time and resources.
SPF flattening is a prudent workaround for the “SPF PermError: too many DNS lookups” error. But, it is recommended not to flatten your SPF records unless you have a complex SPF record. It is so because SPF flattening may affect the trustworthiness of your domain. Besides, you could have your business domain’s SPF records checked by an expert if you are unsure of how to generate them accurately, who would be able to suggest the best solution for you.
Join the thousands of organizations that use DuoCircle
Find out how affordable it is for your organization today and be pleasantly surprised.