How to Optimize Your SPF Record
The SPF standard requires that any SPF record must comply with the 10-DNS-lookup limit. It means that any SPF record that causes more than 10 DNS queries is not valid, and any attempt to authenticate SPF for an email from the domain will lead to an error.
The “include”, “a”, “mx”, “ptr”, and “exists” mechanisms and the redirect modifier do count against this limit. The “all”, “ip4”, and “ip6” mechanisms do not require DNS lookups and therefore do not count against the 10-DNS-lookup limit.
In this post, we will tell about how you can optimize a bloated SPF record to make SPF authentication pass. This primarily concerns delivery services who send emails for their customers and ask their customers to include an SPF record to their domain’s DNS. But it can be also useful to senders publishing their own SPF records.
Avoid Costly SPF Mechanisms
Re-think about using the “mx” mechanism. It makes an SPF record look simpler but it always triggers a DNS lookup that counts against the 10-DNS-lookup limit.
Instead of “mx”, consider the “ip4” and “ip6” mechanisms to list the IP addresses your host and MX send emails from. Though your SPF record will look longer, it will be actually smaller from the perspective of DNS queries, as a single “mx” mechanism costs more than 20 “ip4” mechanisms.
Similarly, avoid the “a” mechanism as it can also be replaced with “ip4” or “ip6”.
Don’t use “ptr” as they are deprecated by the current SPF RFC.
Verify the IP Addresses
If you have many “ip4” and “ip6” mechanisms, make sure they’re not excessive. Are there any IP addresses that you are not using? Are there any IP address ranges that can be merged? For example, “ip4:x.y.z.4/24” and “ip4:x.y.z.5/24” can be replaced with “ip4:x.y.z.4/23”.
CIDR blocks generated from IP address ranges can sometimes give very inefficient representations. The IP range 10.11.12.1-10.11.12.254 needs 14 “ip4” mechanisms to represent precisely. Instead, you can use the single mechanism “ip4:10.11.12.0/24”, even if you’re not sending any email from the .0 or .255 addresses.
You don’t need a “~all” or “-all” at the end of a TXT record that is only included in another SPF record, not used directly. It won’t do any harm but it eats a few characters.
Split Your SPF Record
An SPF record can contain one or more strings of text and each string can contain no more than 255 characters. An SPF checker will take all of the strings in a TXT record and bind them together before it starts looking at the content. So you can have more than 255 characters in the SPF record by splitting it into more than one string.
But keep your DNS packets less than 512 bytes long. Count the DNS overhead for a reply that contains a single TXT record with two strings which is about 34 bytes, then add the length of the hostname that’s being queried. So to comply with the 512-byte limit you need to break your SPF into pieces of no more than 478 minus the length of the hostname.
Then you need to break that SPF data into two strings. As they will be bonded with no white space added, so you need to include the space at the end of the first string or the beginning of the second string.
Test Your SPF Record
Optimizing the SPF record is important but difficult. To help you do it, we at GlockApps created an SPF checking tool.
You can enter your domain and click the button to check your SPF record. Or you can copy-paste your SPF record to check its syntax.
The GlockApps SPF Flattener:
– checks if the SPF record syntax is correct;
– makes sure the number of mechanisms and modifiers in the SPF record that do DNS lookups is under 10;
– “flattens” the SPF record into a list of plain IP addresses, so that you can check them one by one, in case you need to track down some obstinate SPF issues.
With the GlockApps DMARC Monitor, you can determine any illegal sources sending on behalf of your domain and make sure that all your legal sources pass the SPF, DKIM, and DMARC authentication.
You can activate the DMARC Monitor trial in your GlockApps account and test it during 14 days to get the DMARC data and analyze your email traffic.
GlockApps Spam Testing for Marketers and Agencies
Scan your emails through all the major spam filters before you send.
Get actionable tips for improving your delivery rate for every email you send.
Improve your overall email performance by ensuring more emails are being delivered.