Summary
MXToolbox may report SPF errors due to several factors: its inability to handle specific SPF lookup codes, its general sensitivity, adherence to the 10 DNS lookup limit, and variations in configuration and testing methodologies. The 10 DNS lookup limit can easily be exceeded when the 'include' mechanism is used excessively, or when complex SPF records are in use. DNS propagation delays and caching mechanisms also contribute to the inconsistencies. If this limit is exceeded, a 'permerror' results, causing SPF authentication to fail, which affects deliverability, and some ESP's automatically ignore it. Flattening SPF records is generally advised and monitoring the number of DNS lookups with various tools is also good practice.
Key findings
- Code Handling: MXToolbox might not handle certain SPF lookup codes correctly.
- Tool Sensitivity: MXToolbox is known to be more sensitive than other tools and might identify potential issues other tools do not.
- 10 Lookup Limit: SPF records are limited to 10 DNS lookups; exceeding this results in a 'permerror'.
- Include Impact: The 'include' mechanism increases the DNS lookup count and can lead to exceeding the limit.
- Configuration Variation: Tools can evaluate differently due to setup.
- Caching/Propagation: DNS propagation and caching may lead to inconsistent results between tools.
- ESP Behaviour: Some ESP's will ignore any SPF check result that goes over the limit.
Key considerations
- Check Lookups: Use DNS tools to see the count of DNS lookups.
- Simplify SPF: Reduce 'include' mechanisms.
- Tool Awareness: Be aware of tool variations.
- Minimize DNS lookups: Aim to use IP addresses rather than domain names.
- Flatten SPF: Consider flattening your SPF records
What email marketers say
8 marketer opinions
MXToolbox may report an SPF record as "too think" due to its sensitivity to the 10 DNS lookup limit, differences in tool configuration, testing methodologies, DNS propagation delays, or caching mechanisms. Complex SPF records with multiple includes can easily exceed the limit, while other tools may not be as thorough or updated, leading to inconsistencies in SPF validation. Some ESP's will automatically ignore SPF records that go over the limit, so flattening SPF records to be less than 10 lookups is a very important task.
Key opinions
- 10 Lookup Limit: SPF records are limited to 10 DNS lookups, and exceeding this limit can cause errors.
- Tool Sensitivity: MXToolbox is often more sensitive to SPF complexities and may report issues that other tools miss.
- Include Impact: The 'include' mechanism adds to the DNS lookup count, potentially exceeding the limit.
- Configuration Variation: Different tools have variations in their configuration, testing methodologies, and caching mechanisms which may lead to different evaluations.
- Propagation Delays: DNS propagation delays may cause discrepancies between tools, with some having updated information and others not.
- ESP Behaviour: Some ESP's will ignore any SPF check result that goes over the limit.
Key considerations
- Flatten SPF Records: Simplify complex SPF records to reduce the number of DNS lookups.
- Monitor SPF Lookups: Regularly check your SPF record with multiple tools to ensure it stays within the 10 lookup limit.
- IP Addresses vs. Domains: Use IP addresses instead of domain names where possible to minimize DNS lookups.
- Tool Selection: Be aware that different tools provide different results, so evaluate your SPF record with multiple tools.
- DNS Propagation: Account for DNS propagation delays when making changes to your SPF record.
Marketer view
Email marketer from StackOverflow explains that when an SPF record uses `include:` to reference another domain's SPF record, all the lookups required by that included record also count towards the original domain's 10-lookup limit. This can lead to exceeding the limit more easily.
12 Aug 2022 - StackOverflow
Marketer view
Email marketer from WebHostingTalk Forum discusses that discrepancies in SPF results can be caused by DNS propagation delays, where some tools have updated information and others do not. They also point out the 10-lookup limit.
20 Jan 2024 - WebHostingTalk Forum
What the experts say
3 expert opinions
MXToolbox may report SPF errors due to its inability to handle certain SPF lookup codes like `exists:%{i}._spf.mta.salesforce.com`. While new code is in development to address this, the existing tool may produce false positives. A PermError can occur if your SPF record exceeds the 10 DNS lookup limit, often due to excessive 'include:' statements. Therefore, MXToolbox can be more strict and highlights potential issues that are worth investigating but may not always be accurate.
Key opinions
- Code Handling: MXToolbox's current code doesn't handle `exists:%{i}._spf.mta.salesforce.com` lookups correctly, leading to false positives.
- Development Update: New code is being developed to improve SPF validation accuracy.
- 10 Lookup Limit: Exceeding the 10 DNS lookup limit in SPF records results in a PermError.
- Include Statements: Excessive 'include:' statements contribute to exceeding the lookup limit.
Key considerations
- Check DNS Lookups: Use the DNS tab in MXToolbox (or other tools) to examine the number of DNS lookups your SPF record is performing.
- Simplify SPF Records: Reduce the number of 'include:' statements and other mechanisms that require DNS lookups to stay within the 10 lookup limit.
- Monitor for Updates: Be aware that MXToolbox's SPF validation tool is being updated, so results may change in the future.
- False Positives: Consider the possibility of false positives due to the tool's limitations, especially if using certain SPF lookup codes.
Expert view
Expert from Word to the Wise explains that exceeding the 10 DNS lookup limit will result in an SPF PermError, meaning a permanent error. This can occur if your SPF record has too many 'include:' statements or other mechanisms that require DNS lookups.
31 Jul 2024 - Word to the Wise
Expert view
Expert from Email Geeks shares that there is new code in the pipeline to validate SPF correctly, but it’s not yet live on the web tool.
11 Aug 2022 - Email Geeks
What the documentation says
5 technical articles
SPF implementations adhere to a strict 10 DNS lookup limit per check as defined by RFC specifications. Exceeding this limit, often due to excessive use of the 'include' mechanism, results in a 'permerror' and causes SPF authentication to fail, potentially impacting email deliverability. Microsoft recommends flattening SPF records when this limit is exceeded.
Key findings
- 10 Lookup Limit: SPF records are limited to 10 DNS lookups, as per RFC specifications.
- PermError: Exceeding the 10 lookup limit results in a 'permerror', causing SPF authentication to fail.
- Include Mechanism: The 'include' mechanism contributes to the total DNS lookup count, potentially exceeding the limit.
- Flatten SPF: Microsoft recommends flattening SPF records when this limit is exceeded.
Key considerations
- Limit DNS Lookups: Ensure your SPF record stays within the 10 DNS lookup limit.
- Minimize Includes: Reduce the use of 'include' mechanisms to minimize DNS lookups.
- Flatten Records: Consider flattening your SPF record to reduce DNS lookups.
- Monitor SPF: Regularly monitor your SPF record to ensure it is valid and not exceeding the lookup limit.
Technical article
Documentation from OpenSPF.org details that the 'include' mechanism in SPF records counts towards the 10 DNS lookup limit. Excessive use of 'include' can lead to exceeding this limit.
19 Apr 2024 - OpenSPF.org
Technical article
Documentation from AuthSMTP describes that exceeding the SPF lookup limit will cause messages to fail SPF authentication. This will cause the SPF check to return a 'permerror'.
8 Aug 2022 - AuthSMTP
Can a sender modify SPF records to alter SPF checking behavior?
How can I resolve SPF record lookup limits with Netfirms webmail?
How complex is the SPF spec for building an SPF checking library?
How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?
How do I set up an SPF record when using multiple email sending services?
How do I troubleshoot and fix SPF and DMARC settings for email deliverability issues?
