How important is the 10 DNS lookups limit on SPF records?

Key findings

• RFC compliance: The SPF specification (RFC 7208) dictates a strict limit of 10 DNS lookups per SPF record to prevent denial-of-service attacks. Exceeding this limit results in a permanent error (PermError).
• Varying enforcement: While the standard is clear, recipient mail servers (ISPs) vary in their strictness. Some may still deliver emails that exceed the limit, while others will reject them outright.
• Impact on deliverability: A PermError due to too many lookups means the SPF authentication fails, which can significantly hinder email deliverability, potentially leading to messages landing in spam or being rejected.
• Common culprits: Many web hosting services and large email service providers offer SPF includes that, by themselves, consume or exceed the 10-lookup limit, making it challenging for users to add other necessary sending sources.
• Nested includes: The problem is often exacerbated by nested includes, where one included domain (e.g., an ESP) itself has multiple DNS lookups, quickly pushing the total count over the threshold.
• DNS TXT record length: Attempting to flatten SPF records manually can sometimes lead to issues with DNS TXT record length limits, especially if the flattened record becomes too long for some DNS hosts.

Key considerations

• Prioritize compliance: Despite varied enforcement, always aim to stay within the 10 DNS lookup limit to ensure the broadest compatibility and best possible deliverability.
• Strategic SPF management: Regularly review and optimize your SPF record. Remove unnecessary mechanisms (like ptr which is deprecated) and consolidate entries where possible.
• Subdomain usage: Consider using separate subdomains for different sending services. This allows each subdomain to have its own SPF record, effectively segmenting your lookups and keeping them under the limit. More information can be found in this article on SPF limits.
• Dynamic SPF management: Tools that dynamically manage SPF records or SPF flattening services can help, but manual flattening is generally not advised due to frequently changing IP addresses of included domains.

Key opinions

• Inconsistent enforcement: Marketers frequently report that some recipient mail servers are more lenient than others regarding the 10 DNS lookup limit, leading to emails with non-compliant SPF records still being delivered.
• Web host frustrations: A significant pain point is web hosting services providing SPF includes that independently exceed the 10-lookup limit, making it impossible to add other necessary includes without breaking the record.
• DMARC report confusion: It can be perplexing when DMARC reports indicate SPF is passing, even for domains with 12 or more lookups, leading to a false sense of security about compliance.
• SPF flattening challenges: While manual SPF flattening can resolve lookup limit issues, it introduces new problems like records becoming too long for certain DNS hosts and the need for constant updates as IP addresses change.
• Poor support from hosting providers: Many marketers find that the technical support at web hosting companies, especially larger ones, lacks understanding of email authentication best practices, making it difficult to resolve SPF issues.

Key considerations

• Proactive auditing: Regularly audit your SPF records to identify unnecessary includes or mechanisms that contribute to exceeding the lookup limit. This can help prevent intermittent email delivery failures.
• Leverage subdomains: Utilize subdomains for different sending purposes to create separate SPF records, effectively segmenting your DNS lookups and staying within limits.
• Avoid manual flattening: Given the dynamic nature of IP addresses, manual SPF flattening is risky. Prioritize optimizing includes or using specialized SPF management services if necessary, as highlighted by SendLayer's blog on SPF flattening.
• Advocate for better practices: Marketers should continue to report and push hosting providers to adopt better SPF practices that respect the 10-lookup limit and avoid including unnecessary or deprecated mechanisms.

Key opinions

• Strict RFC interpretation: Exceeding the 10 terms that involve DNS lookups means, by specification, that the mail is not SPF authenticated, irrespective of what some DMARC reports might suggest.
• SPF scope: SPF specifically validates the HELO and Return-Path addresses, not the From: header, offering flexibility for different services to use different domains.
• Avoiding manual flattening: Experts advise against manually flattening SPF records because the underlying IP addresses of included domains (such as those of Mailjet, Google, or Salesforce) can change frequently without notice, rendering the flattened record outdated and ineffective.
• Hosting provider issues: A common issue is that many hosting providers, including major ones like Bluehost, Hostgator, and GoDaddy, provide default SPF recommendations that include unnecessary mechanisms like ptr (which is deprecated) and excessive includes that cause the record to exceed the 10-lookup limit.
• Support challenges: Resolving complex SPF issues with the technical support teams of many large hosting providers is often a time-consuming and unproductive effort, as they may lack the necessary expertise in email authentication.

Key considerations

• Review include mechanisms: Thoroughly inspect the includes provided by your hosting providers and email services to identify and remove any additional or unnecessary lookups that can be avoided. This practice aligns with best practices for SPF DNS lookup limits.
• Avoid deprecated elements: Steer clear of deprecated mechanisms like ptr and avoid unnecessary mx lookups if mail is not sent via your MX records, as they contribute to the lookup count without providing significant value.
• Strategic domain use: Instead of having one SPF record for all sending, consider using different domains or subdomains for distinct sending purposes to distribute SPF lookups effectively.
• Impact of PermError: Understand that a PermError from exceeding the lookup limit can lead to legitimate emails being marked as spam or rejected, affecting overall deliverability performance.

Key findings

• Mandatory limit: RFC 7208 specifies a maximum of 10 DNS lookups for SPF record evaluation, a critical limit for preventing denial-of-service attacks.
• PermError consequence: Exceeding the 10-lookup limit always results in an SPF PermError, indicating a permanent failure of SPF authentication for that domain.
• Lookup-triggering mechanisms: Mechanisms such as a, mx, ptr, include, and exists all count towards this 10-lookup limit.
• Exclusions from count: The initial DNS query to retrieve the SPF TXT record itself does not count towards the 10-lookup limit.
• Discouraged mechanisms: While defined, the ptr mechanism is generally discouraged due to performance and reliability concerns, yet it still consumes a lookup.

Key considerations

• Adhere strictly: For reliable email authentication and deliverability, it is crucial to strictly adhere to the 10 DNS lookup limit defined in RFC 7208.
• Optimize record structure: Minimize the number of include, a, and mx mechanisms that require DNS lookups to stay within the limit. For more details on this, refer to how SPF 'a' records affect DNS lookups.
• Avoid deprecated mechanisms: Do not use ptr mechanisms, as they are not recommended and consume a lookup slot without providing robust benefits.
• Understand PermError impact: Be aware that a PermError due to excessive lookups can severely impact deliverability, leading to legitimate emails being rejected or classified as spam.
• Consult RFCs: For the most accurate and authoritative information on SPF, including its limits and mechanisms, always refer to the official SPF RFC 7208 documentation.