1. Help Center
  2. DMARC Analytics
  3. How can I avoid SPF failures if I exceeded the DNS lookup limit?

How can I avoid SPF failures if I exceeded the DNS lookup limit?

When you set up SPF (Sender Policy Framework) on a domain, sometimes you can receive an SPF permanent error saying “SPF PermError: too many DNS lookups”. It is a common error that is returned when an often overlooked SPF 10-DNS-lookup limit is exceeded.

According to RFC7208:

“Some mechanisms and modifiers (collectively, “terms”) cause DNS queries at the time of evaluation, and some do not. The following terms cause DNS queries: the “include”, “a”, “mx”, “ptr”, and “exists” mechanisms, and the “redirect” modifier. SPF implementations MUST limit the total number of those terms to 10 during SPF evaluation, to avoid unreasonable load on the DNS. If this limit is exceeded, the implementation MUST return “permerror”.”

An SPF PermError can affect your email deliverability because such an error is interpreted by DMARC as FAIL, and consequently, the email might not reach the Inbox, depending on the email receiver’s settings.

Therefore, it’s strongly recommended to keep the DNS-querying mechanisms/modifiers in your SPF record equal to or less than 10.

You can test the SPF record for your domain using the GlockApps SPF checker.


How to Avoid Exceeding the 10 DNS lookup Limit

Below are the common practices that allow you to comply with the 10 DNS lookup limit when creating an SPF record:

1. Remove unnecessary “include” statements.

An “include” statement is a mechanism that redirects the DNS lookup to another domain’s SPF record to verify any of their authorized IPs. Each “include” statement, in the original SPF record and in any of the SPF records redirected to, is counted toward the limit of 10.

Ensure each “include” statement in your SPF record is necessary and could not be replaced with another mechanism, which is not counted against the limit.

The “all”, “ip4”, and “ip6” mechanisms, and the “exp” modifier do not cause DNS queries at the time of SPF evaluation (the “exp” modifier only causes a lookup at a later time), and their use is not subject to the 10 DNS lookup limit.

Example:

SPF record (length=172, total lookups=12) for domain: daxx.com
v=spf1 a mx ip4:5.189.133.26 include:_spf.exactonline.nl include:_spf.google.com include:whitelabel.daxx.com include:_spf.exactonline.co.uk include:spf.flowmailer.net -all

This record is considered broken and can be fixed by reducing the number of total lookups / modifiers.
Total lookups 12/10.

Error: include: whitelabel.daxx.com SPF record not found.
Warning: include:spf.flowmailer.net already included.

After removing unnecessary “include” statements, the SPF record is returned as correct:

SPF record (length=86, total lookups=8) for domain: daxx.com
v=spf1 a mx ip4:5.189.133.26 include:_spf.exactonline.nl include:_spf.google.com -all

Everything appears fine with your SPF record.
Total lookups 8/10.

2. Use ip4 and ip6 mechanisms.

Use the ip4 or ip6 mechanism instead of the “include” statement when it’s possible. The ip4 and ip6 mechanisms are used to list a static IP range in your SPF record.

For example, here is an SPF record with two “include” statements:

v=spf1 a mx ip4:5.189.133.26 include:_spf.exactonline.nl include:_spf.google.com -all

Total lookups 8/10.

In this example, the exactonline.nl’s SPF record contains two static IP ranges (185.136.64.128/27 and 185.136.65.128/27). When the “include” statement is replaced with the ip4 mechanisms, the total lookup number is decremented by 2 and makes 6 instead of 8.

v=spf1 a mx ip4:5.189.133.26 ip4:185.136.64.128/27 ip4:185.136.65.128/27 include:_spf.google.com -all

Total lookups 6/10.

This replacement helps you reduce the number of DNS lookups if you are using multiple “include” statements in the SPF record.


3. Remove mechanisms that resolve to the same domain.

For example, the SPF record below references to both exactonline.nl and flowmailer.net domains.

v=spf1 a mx ip4:5.189.133.26 include:_spf.exactonline.nl include:_spf.google.com include:whitelabel.daxx.com include:_spf.exactonline.co.uk include:spf.flowmailer.net -all

However, exactonline.nl’s SPF record already has an “include” statement for flowmailer.net. This means that the include:spf.flowmailer.net mechanism is unnecessary and has to be removed.


4. Remove “ptr” mechanisms.

The “ptr” mechanism is a type of DNS record that resolves an IP address to a domain or hostname. SPF specification doesn’t recommend the use of the “ptr” mechanism in the SPF record because it can result in a high number of DNS lookups, which will quickly lead you to the limit of 10.


5. Remove references to invalid and unused domains.

You should remove any “include” statements that redirect the SPF check to a domain, for example, your partner’s or vendor’s domain, which is no longer sending emails on your behalf.

You should also make sure that any domains you reference in your SPF record resolve to an active SPF record. Otherwise they must be removed to reduce the number of DNS lookups.


6. Use a flattened SPF record.

Sometimes you may not be able to comply with the 10 DNS lookup limit no matter what changes you made to the SPF record. As a workaround, you can use a flattened SPF record. Using a flattened SPF record, you can reduce the number of DNS-querying mechanisms/modifiers down to 1.

This is how “SPF record flattening” works:

1. Query the DNS to get the IP addresses for each of the DNS-querying mechanisms/modifiers used in the record.

2. Replace the original mechanism/modifier with the IP addresses.

Each time a mechanism or a modifier is replaced, the total count of DNS lookups is decremented by 1. After all such mechanisms/modifiers are replaced, the total count becomes 1 as only the topmost SPF record needs a DNS query.

You can get a flattened SPF record for your domain using the GlockApps SPF Validator.


The good thing is that the SPF flattening technique helps you turn a very complex SPF record including over 10 DNS lookups into an IP address list and stay in the safe zone.

The bad thing is that the flattened SPF record goes out of synchronization on the listed IP addresses, which will produce incorrect results in SPF authentication if the IP addresses change.

You have to watch the IP addresses and manually update the SPF record in the DNS when it is necessary.

We recommend that you use a flattened SPF record as a last resort when you don’t come with a good SPF record after optimizing it following the mentioned tips.

Updated on December 24, 2020

Was this article helpful?

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support

Leave a Comment