How to format SPF TXT records, add domain includes, and avoid DNS size issues?

Key findings

• SPF record structure: SPF record elements (mechanisms like include, ip4, a, mx) are separated by spaces, not underscores. Underscores may appear within a domain name (e.g., _u.segment.com), but this is part of the domain itself, not the SPF syntax.
• Multiple includes: Each external sending service or vendor requires its own include: mechanism in your SPF record. For example, v=spf1 include:example.com include:another.com ~all.
• DNS lookup limits: SPF records have a limit of 10 DNS lookups. Exceeding this can cause SPF validation to fail, impacting deliverability. Each include, a, mx, ptr, and exists mechanism counts as one lookup.
• DNS TXT record size: While an SPF record can theoretically be up to 255 characters per string and a TXT record can have multiple strings, the practical limit for UDP DNS responses is 512 bytes. Larger records can lead to truncation and force resolvers to retry over TCP, which can introduce delays or failures for older resolvers.

Key considerations

• Vendor guidance: Always consult your email service providers (ESPs) and DMARC monitoring services for the exact SPF include strings they recommend. Do not guess these values.
• Single SPF record: A domain should only have one SPF TXT record (starting with v=spf1) at the root domain. Multiple SPF records will invalidate the setup and lead to authentication failures. Combine all authorized sources into a single record.
• Optimizing record length: To stay within DNS size limits and avoid truncation, consider using subdomains for different sending purposes (e.g., marketing emails from m.yourdomain.com) and ensuring your SPF record is concise. Only include necessary mechanisms and avoid redundant entries. For more details on managing your record length, see why your SPF record is too long.
• DMARC and SPF overlap: If using a DMARC service that provides a magic SPF include (one that encompasses multiple underlying services), be cautious about also adding individual SPF includes for those services directly to your main record. This can lead to redundancy and make future management difficult. Coordinate with your DMARC provider.

Key opinions

• Formatting confusion: There's often confusion among marketers about the correct syntax for SPF records, specifically whether to use underscores or spaces between listed domains.
• One include per domain: Marketers frequently ask if each sending domain requires its own include mechanism, highlighting a common need for clarity on multi-vendor SPF configuration.
• Complex setups: Integrating a DMARC monitoring service that provides a consolidated SPF include can simplify things, but also introduces questions about whether to add individual vendors separately.
• DNS warnings: Encountering warnings about malformed message packet or truncated responses from DNS lookups can be confusing for marketers, signaling underlying issues with TXT record size.

Key considerations

• Verification: Always verify your SPF record after making changes to ensure proper syntax and functionality. Use tools like the Suped Email Deliverability Tester or other online checkers.
• Vendor instructions: Stick to the exact SPF include statements provided by your email vendors to avoid authentication issues and improve inbox placement.
• DNS size optimization: While DNS pedants might highlight minor issues with records exceeding UDP limits, it's generally good practice to optimize for size. Consolidating entries or using subdomains can mitigate potential (though often minor) operational risks. Consider referring to the RFC 7208 for detailed guidance on SPF mechanisms and DNS considerations.
• Cleanup and maintenance: If you use a DMARC service that dynamically manages SPF, ensure you don't keep redundant include statements for providers that the DMARC service already covers. Regular audits prevent outdated entries and maintain optimal deliverability.

Key opinions

• Syntax for includes: An SPF record consists of elements separated by spaces, and each include mechanism should be added as include:vendor.domain.com, exactly as provided by the vendor.
• Underscores in domains: Underscores within domain names in an SPF record (e.g., _u.segment.com) are not special SPF syntax, but rather part of the subdomain name used by some providers for customer records.
• DNS packet size issues: SPF TXT records exceeding the 512-byte UDP limit can cause issues, leading to message truncation warnings and requiring DNS resolvers to retry over TCP. While some consider this a minor operational risk, it's a technical imperfection that can affect older or less robust resolvers.
• Google authentication: Experts strongly advocate using CNAME records for Google domain verification instead of TXT records. Polluted TXT records, especially large ones, can cause issues for SPF and email authentication. Transitioning from TXT to CNAME for Google verification can be challenging due to decay periods.
• Redundant includes: While temporarily adding a vendor's SPF include directly might be acceptable when also using a DMARC service that aggregates includes, it creates a potential for future misconfiguration if the DMARC service removes the vendor but the direct include remains.

Key considerations

• One SPF record per domain: Ensure your domain only publishes a single SPF TXT record. If you have multiple records, they must be merged into one. This is a fundamental rule for SPF, as violating it leads to an SPF PermError.
• DNS query limits: Be mindful of the 10 DNS lookup limit for SPF records. Each include, a, and mx mechanism consumes a lookup. Exceeding this limit results in a PermError. Learn more about how SPF 'a' records affect DNS lookups.
• DNS response size: Although modern DNS resolvers handle TCP fallbacks well, keeping your TXT records concise and under the 512-byte UDP limit for the initial response is best practice. This helps prevent truncation warnings and ensures compatibility with all resolvers. Consider if your SPF record adheres to recommended practices.
• Subdomain strategy: To mitigate DNS lookup and size issues, dedicate subdomains for different sending services. This allows for simpler, more isolated SPF records for each subdomain, rather than a single complex record for the root domain.

Key findings

• SPF syntax: An SPF record is a single TXT record beginning with v=spf1, followed by mechanisms (e.g., include, ip4) separated by spaces. No underscores should be used as separators.
• DNS resource considerations: RFC 7208 outlines the importance of minimizing DNS resources for SPF lookups by choosing efficient directives and avoiding unnecessary mechanisms.
• Deprecated mechanisms: The use of the SPF DNS record type has been deprecated in favor of TXT records. Additionally, the ptr mechanism is also deprecated and should not be used in SPF records.
• Single TXT record constraint: It is explicitly stated that a domain must not have multiple SPF records. The presence of more than one v=spf1 TXT record for a given domain will lead to a PermError, causing authentication failures.

Key considerations

• Strict adherence to RFCs: Always follow the specifications outlined in RFC 7208 for SPF. This includes proper formatting, mechanism usage, and understanding their impact on DNS lookups.
• Consolidate includes: If you have multiple authorized sending sources, all their respective includes must be part of a single SPF record string. This may involve combining entries from different vendors into one comprehensive TXT record.
• Optimize for length and lookups: To stay within the 10 DNS lookup limit and the 512-byte UDP packet size, strategically manage your SPF record. Options include using subdomains for different services or ensuring vendors provide includes that don't excessively increase lookup count. Refer to guidance on managing TXT record length limits.
• Regular validation: After any modifications, validate your SPF record to catch errors early. Tools for verifying SPF setup are widely available and crucial for maintaining proper authentication.