Summary
Optimizing SPF records to stay within the 10 DNS lookup limit when using multiple sending services involves a multi-faceted approach. Key strategies include regularly auditing and removing unnecessary 'include' statements, validating vendor advice, and checking the 5321.From/return-path on all senders. Additionally, consider SPF flattening, delegating services to subdomains, prioritizing essential services, utilizing SPF macros, consolidating services, and leveraging DKIM as an alternative or supplementary authentication method. Remember that multiple SPF records are invalid and all mechanisms should be consolidated into a single record. SPF authenticates the envelope from and not the header from. Some services such as Shopify now use subdomains with SPF records.
Key findings
- Lookup Limit: SPF records are limited to 10 DNS lookups; exceeding this limit causes authentication failures.
- Unnecessary Includes: Unnecessary includes are a common cause of exceeding the lookup limit.
- Vendor Advice: Vendors may provide incorrect advice leading to unnecessary SPF entries; always validate.
- Return Path: Check the 5321.From/return-path of all senders before making SPF decisions.
- SPF Flattening: SPF flattening reduces DNS lookups but requires regular updates.
- Subdomains: Delegating services to subdomains isolates lookups.
- DKIM: DKIM can supplement or replace SPF for authentication.
- Single Record: Only one SPF record per domain is valid; consolidate includes.
- Record Size: Large SPF records can cause issues and should be kept small.
Key considerations
- Regular Audits: Regularly audit and remove any includes that are not essential.
- Validation: Ensure the accuracy of vendor recommendations before implementing changes.
- Maintenance: SPF flattening requires frequent updates to reflect IP address changes.
- Testing: Thoroughly test any changes to the SPF record to ensure email deliverability is not negatively impacted.
- Shopify Config: Shopify and similar services using subdomains for sending can simplify SPF configuration.
What email marketers say
10 marketer opinions
Optimizing SPF records involves staying within the 10 DNS lookup limit when using multiple email sending services. Strategies include using SPF flattening services, delegating services to subdomains, auditing and removing unnecessary includes, prioritizing essential services, using SPF macros, consolidating services, and using tools to check lookup counts. It's also important to remember that multiple SPF records are invalid and all mechanisms should be consolidated into one record. Some services such as Shopify now use subdomains with SPF records.
Key opinions
- SPF Flattening: SPF flattening reduces DNS lookups but requires regular updates.
- Subdomains: Delegating services to subdomains isolates lookups.
- Record Auditing: Regularly audit and remove unnecessary includes.
- Prioritization: Prioritize essential services in SPF.
- SPF Macros: Consider using SPF macros to reduce lookup count.
- One Record: Multiple SPF records are invalid; consolidate them.
- Consolidation: Reduce the number of external services by consolidation.
- Shopify Configuration: Shopify now uses a subdomain that resolves to Sendgrid, simplifying the SPF configuration for the main domain.
Key considerations
- Update Frequency: SPF flattening requires frequent updates to reflect IP address changes.
- DKIM Alternative: Evaluate if less critical services can use DKIM instead of SPF.
- Lookup Tools: Use tools to check SPF lookup counts to identify optimization opportunities.
- Testing: Thoroughly test any changes to the SPF record to ensure email deliverability is not negatively impacted.
Marketer view
Email marketer from DMARC Analyzer recommends prioritizing essential sending services in your SPF record and evaluating whether less critical services can be authenticated using alternative methods like DKIM.
3 Jan 2022 - DMARC Analyzer
Marketer view
Email marketer from StackOverflow suggests to use SPF macros if feasible which can help in reducing the total amount of DNS lookups, as opposed to using includes.
18 Nov 2022 - StackOverflow
What the experts say
5 expert opinions
Optimizing SPF records to stay within the lookup limit involves removing unnecessary includes, validating vendor advice, and checking the 5321.From/return-path on all senders. Exceeding 10 lookups makes the SPF invalid. A key strategy is ensuring that only essential services and domains are included in the SPF record to minimize its size and complexity.
Key opinions
- Invalid Lookup Count: SPF records with more than 10 DNS lookups are invalid.
- Vendor Advice: Vendors may provide incorrect advice leading to unnecessary SPF entries.
- Return-Path Check: Check the 5321.From/return-path of all senders before making SPF decisions.
- Unnecessary Includes: Unnecessary includes are a common cause of exceeding the lookup limit.
- Record Size: Large SPF records can cause issues and should be kept small.
Key considerations
- Regular Review: Regularly review and remove any includes that are not essential.
- Authentication Needs: Ensure SPF is only used for senders where the domain is in the return path.
- Impact of Changes: Carefully consider the impact of removing an include on deliverability from that service.
Expert view
Expert from Email Geeks responds to a previous answer about SPF record lookups, clarifying that an SPF record with 11 lookups is invalid, and it's not accurate to say only the 11th lookup will fail. She suggests the problem is likely due to publishing too many unnecessary SPF lookups.
11 Jul 2024 - Email Geeks
Expert view
Expert from Email Geeks advises checking the 5321.From / return-path / bounce domain on all senders before making any decisions about SPF records.
22 May 2023 - Email Geeks
What the documentation says
5 technical articles
To optimize SPF records and stay within the 10 DNS lookup limit, documentation emphasizes the importance of managing 'include' mechanisms carefully, as they trigger additional lookups. Properly structuring SPF records, using 'ip4' and 'ip6' mechanisms when possible, and regularly reviewing/removing unnecessary mechanisms are crucial. DKIM can also be used as an alternative or supplement when SPF limits are difficult to meet. SPF authenticates the envelope from and not the header from meaning care is required.
Key findings
- Lookup Limit: SPF records are limited to 10 DNS lookups.
- Include Mechanism: 'Include' mechanisms trigger additional lookups and should be managed carefully.
- IP4/IP6 Mechanisms: Using 'ip4' and 'ip6' mechanisms instead of 'include' can minimize lookups.
- DKIM Alternative: DKIM can be used as an alternative or supplement to SPF when SPF limits are hard to meet.
- Authenticates Envelope: SPF authenticates the envelope from, not the header from.
Key considerations
- Regular Review: Regularly review SPF records and remove unnecessary mechanisms.
- Record Structuring: Properly structure SPF records to minimize DNS lookups.
- Trade Offs: Consider the trade-offs between SPF and DKIM when implementing authentication methods.
- Alternative Methods: Look at alternative methods where possible due to SPF limitations
Technical article
Documentation from SparkPost details the importance of DKIM. When possible use DKIM instead of SPF, or in addition. This will ensure you can still authenticate your emails when you are unable to meet the SPF requirements.
22 Dec 2024 - SparkPost
Technical article
Documentation from Microsoft explains that properly structuring your SPF records, including using the 'ip4' and 'ip6' mechanisms instead of 'include' where possible, can help minimize DNS lookups and stay within the limit.
18 Oct 2023 - Microsoft
Can a sender modify SPF records to alter SPF checking behavior?
Do small email senders need their own SPF/DKIM records or can they rely on their ESP?
How complex is the SPF spec for building an SPF checking library?
How do I fix the MXtoolbox SPF record DNS lookup limit exceeded error?
How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?
How do I set up an SPF record when using multiple email sending services?
How do SPF records and DKIM keys work with multiple email services like Klaviyo and Shopify?
How important is the 10 DNS lookups limit on SPF records?
