Suped
What is universal SPF and how does it help fix broken SPF policies?
Summary
Universal SPF is presented as a layer 2 extension designed to address broken SPF policies and improve email deliverability by circumventing limitations of the existing SPF protocol, especially the 10 DNS lookup limit. Common SPF errors such as exceeding DNS lookup limits, syntax errors, and incorrect use of 'include' statements can cause 'permerror' results, leading to hard fails. Universal SPF aims to signal receiving servers to allow these policies to still pass or fail as intended, while techniques like SPF flattening can also reduce DNS lookups. However, it's important to note that Universal SPF isn't an officially recognized IETF extension, and the term 'extension' may be misleading. The original SPF was designed to mitigate DOS attacks, and correct configuration is critical to avoid deliverability issues.

Key findings

  • Universal SPF Purpose: Aims to fix broken SPF policies and improve email deliverability.
  • Layer 2 Extension: Presented as a layer 2 extension of SPF.
  • DNS Lookup Limit: Addresses the 10 DNS lookup limit.
  • SPF Errors: Common errors include exceeding DNS lookups, syntax errors, and incorrect 'include' usage.
  • Permerror and Hard Fail: 'Permerror' can lead to hard fails, causing deliverability issues.
  • SPF Flattening: Technique to reduce DNS lookups by replacing 'include' statements.

Key considerations

  • Official Status: Not an officially recognized IETF extension.
  • Terminology: The use of 'extension' may be misleading.
  • Configuration Importance: Correct SPF configuration is critical to avoid deliverability issues.
  • Mitigation Alternatives: SPF flattening and other techniques can also help manage DNS lookup limits.
  • Original Intent: Original SPF design was intended to mitigate DOS attacks.
What email marketers say
12 marketer opinions
Universal SPF is presented as a layer 2 extension to the existing SPF protocol, designed to address limitations and misconfigurations that lead to broken SPF policies. Primarily, it aims to circumvent the 10 DNS lookup limit imposed by the standard SPF, which is often exceeded due to excessive 'include' statements or syntax errors. By providing a mechanism to signal receiving servers to allow 'permerror' policies (those with errors) to still pass or fail as intended, and by potentially using techniques like SPF flattening, universal SPF seeks to improve email deliverability and protect against sending failures caused by SPF misconfigurations or operational concerns like potential DOS attacks from spammers. However, it is also noted that the term 'extension' is contentious, as it is not an officially recognized IETF extension, and there are alternative methods like SPF flattening to mitigate DNS lookup issues.

Key opinions

  • Definition: Universal SPF is a layer 2 extension to SPF that aims to fix broken SPF policies.
  • Purpose: It provides a mechanism for domain operators to signal that broken policies should still return a pass or fail result.
  • Problem Addressed: It addresses the 10 DNS lookup limit in standard SPF, often exceeded by multiple 'include' statements.
  • SPF Errors: Common SPF errors include exceeding DNS lookup limits and syntax errors leading to SPF failures.
  • Alternative Solutions: SPF flattening can also reduce DNS lookups by replacing 'include' statements with IP addresses.
  • Operational Concerns: Original SPF design was to limit DOS attacks from spammers.

Key considerations

  • Official Status: Universal SPF is not an officially recognized IETF extension.
  • Terminology: The use of the term 'extension' may be misleading.
  • Alternative Solutions: Techniques like SPF flattening can also resolve DNS lookup issues.
  • Implementation: Misconfigurations in SPF are common and can lead to deliverability issues.
  • Complexity: Correct SPF configuration is complex and requires attention to detail to avoid errors.
Marketer view
Email marketer from Email Geeks shares an update on a universal SPF extension that protects a domain's delivery against accidents, supported by major providers, adopted by 300+ domains, and fixes broken SPF policies.
12 Sep 2022 - Email Geeks
Marketer view
Email marketer from Stack Overflow explains that SPF PermError indicates that the SPF record has syntax errors or exceeds the 10 DNS lookup limit.
19 Mar 2023 - Stack Overflow
What the experts say
1 expert opinions
An expert from Word to the Wise explains that standard SPF has a hard limit of 10 DNS lookups and Universal SPF has the potential to fix issues due to exceeding the DNS lookup limits where misconfiguration has occurred.

Key opinions

  • SPF Lookup Limit: Standard SPF has a hard limit of 10 DNS lookups.
  • Universal SPF Potential: Universal SPF may address issues from exceeding those limits, especially in misconfigured systems.

Key considerations

  • Misconfiguration Focus: The expert highlights Universal SPF's potential benefit primarily in scenarios where SPF lookup limits are misconfigured.
Expert view
Expert from Word to the Wise explains that SPF has a hard limit of 10 DNS lookups. Universal SPF could potentially address issues arising from exceeding these limits, when those lookup limits are misconfigured.
17 Aug 2022 - Word to the Wise
What the documentation says
3 technical articles
SPF documentation highlights that a 'permerror' in SPF records, often due to syntax errors or exceeding DNS lookup limits, results in a hard fail. This signifies that the sending server isn't authorized, which is frequently caused by improper configurations or exceeding the lookup limits defined in the SPF protocol.

Key findings

  • Permerror Definition: A 'permerror' indicates syntax errors or exceeding DNS lookup limits in SPF records.
  • Hard Fail Result: Mail servers treat 'permerror' as a hard fail, meaning the sending server is not authorized.
  • Common Causes: Improper SPF configurations and exceeding DNS lookup limits are common causes of hard fails.

Key considerations

  • Configuration Importance: Proper SPF record configuration is critical to avoid hard fails.
  • Lookup Limits: Staying within the DNS lookup limits defined by the SPF protocol is essential.
  • Syntax Errors: Avoiding syntax errors in SPF records is vital for proper authentication.
Technical article
Documentation from openspf.org explains a permerror result means the SPF record contained a syntax error, such as exceeding the maximum number of DNS lookups. Mail servers will generally treat a permerror as a hard fail.
5 Oct 2022 - openspf.org
Technical article
Documentation from rfc-editor.org specifies the syntax and semantics of the Sender Policy Framework (SPF) protocol. It outlines the mechanisms and modifiers used in SPF records and how they are evaluated during SPF checks, including the DNS lookup limitations.
30 Sep 2022 - rfc-editor.org
Start improving your email deliverability today
Get a demo