When people ask about the maximum number of terms or the maximum length of an SPF record, they're often touching on a couple of different, but related, limitations. It's not just about one single number. The two key constraints you need to know about are the DNS lookup limit and the character string limit. Understanding both is crucial for ensuring your emails are properly authenticated and delivered.
While there is a character limit, the most common issue people face is actually the limit on DNS lookups.
The 10 DNS lookup limit
This is the big one. According to the official specification for SPF (RFC 7208), an SPF check processed by a receiving mail server must not result in more than 10 DNS lookups. If it does, the check will fail, likely resulting in a PermError (permanent error). This can cause legitimate emails to fail authentication.
What counts as a lookup? Certain mechanisms within your SPF record require a DNS query to get more information. The mechanisms that count towards this limit are:
- include: Each include statement in your record counts as one lookup. This is the most common way to add third-party sending services.
- a: Counts as a lookup to find the IP address of a domain.
- mx: Counts as a lookup to find the mail servers for a domain.
- ptr: This also performs a lookup, though its use is strongly discouraged.
- exists: This mechanism explicitly performs a DNS A record lookup.
Mechanisms like ip4, ip6, and all do not perform a DNS lookup and therefore do not count towards the limit. The problem escalates because an include might point to another SPF record that also contains lookups, creating a chain reaction. As SendLayer points out, "if any of these included domains have their own includes, you can quickly hit this limit."
The 255-character string limit
The other limit involves the length of the DNS TXT record itself. A single text string in a TXT record cannot be more than 255 characters long. This is a limitation of the DNS protocol, not just SPF.
However, this is where it gets a little more flexible. Most modern DNS providers allow you to create a TXT record that is longer than 255 characters by automatically splitting it into multiple, concatenated 255-character strings behind the scenes. When a mail server queries your SPF record, your DNS server presents these separate strings as a single, longer record.
So, while the technical limit for a single string is 255 characters, your total SPF record can be longer, provided your DNS host supports this concatenation. You should check with your specific DNS provider to see how they handle it. The key takeaway is that you are far more likely to hit the 10 lookup limit before the character limit becomes a practical problem.
Why these limits matter
These limits exist for performance and security reasons. Unrestricted DNS lookups could be exploited to launch denial-of-service (DoS) attacks or simply to overwhelm mail servers. By capping the lookups, the SPF standard ensures that checks can be completed quickly and efficiently.
Exceeding either of these limits will cause your SPF record to fail validation. As DuoCircle states, "Records not complying with this stipulation can cause temporary or permanent errors." This means your emails might not be delivered, or they could be sent straight to the spam folder. It's also important to remember you can only have one SPF record per domain; having multiple SPF records also causes an instant validation failure.
In summary, while an SPF record has a character limit related to DNS TXT records, the most critical number to watch is 10. You must keep your total number of DNS-querying mechanisms below this threshold to ensure your SPF record works correctly and your emails are delivered reliably.
What is the maximum 'pct' value in a DMARC record?
What is the maximum number of characters allowed in a DMARC TXT record?
What is the maximum recommended key length for DKIM?
What is the maximum number of DNS lookups allowed in an SPF record?
What is the maximum length of an SPF TXT record string?
Does an SPF record need to be in a specific order?
