What is the standard DNS TXT record length limit?

The typical limit for a single string within a DNS TXT record is 255 characters. If your record is longer, it should be split into multiple 255-character strings. Most modern DNS providers will automatically concatenate these strings when publishing the record.

What should I do if my DNS provider has a smaller record length limit?

If your DNS provider has a smaller limit, first contact their support to see if there's a workaround or a different method to enter long records. If not, consider migrating your DNS hosting to a provider that fully supports standard DNS specifications.

What is the SPF 10-DNS-lookup limit and why is it important?

The SPF 10-DNS-lookup limit is a rule that an SPF record cannot require more than 10 DNS queries to fully validate. Exceeding this limit results in a 'PermError', causing email authentication failures and impacting deliverability.

How does SPF flattening help with DNS record limits?

SPF flattening involves resolving the domain names within your SPF record's 'include' mechanisms into their IP addresses and listing those IPs directly. This reduces the number of DNS lookups required, helping your SPF record stay within the 10-lookup limit.

What is the typical DNS record length limit and what should I do if my provider has a smaller limit? - Technical - Email deliverability - Knowledge base

Managing DNS records can sometimes feel like navigating a maze, especially when you encounter unexpected limitations. While the Domain Name System (DNS) has established standards for record lengths, not all DNS providers adhere to them uniformly, or they might have specific configurations that introduce their own quirks. This can lead to frustrating scenarios, particularly with critical email authentication records like SPF, DKIM, and BIMI.

Understanding these limits is crucial for maintaining proper email deliverability and ensuring your messages reach the inbox rather than the spam folder. It's not just about the character count, but also about the number of DNS lookups required for certain records.

Understanding DNS record character limits

The most commonly encountered length limit for a DNS TXT record is 255 characters (or octets) per string. This limitation is defined by RFC 1035, a foundational document for DNS. However, it's a common misconception that a TXT record itself cannot exceed 255 characters total. Instead, the RFC specifies that each string within a TXT record cannot be longer than 255 characters.

For records longer than 255 characters, such as extensive SPF or DKIM records, the solution is to split the record into multiple strings. Most modern DNS providers automatically concatenate these strings when they publish the record, presenting it as a single, longer TXT record to querying servers. For example, a 500-character record would typically be split into two strings. You can learn more about how to format SPF TXT records to avoid these issues.

This splitting mechanism is essential for proper functionality. If your DNS provider does not support splitting long TXT records, or has an unusually low hard character limit that prevents even standard 2048-bit DKIM keys or robust SPF policies, it can severely impact your email authentication. This is why knowing what causes DKIM key issues when DNS provider limits TXT record length is so important.

Example of a split TXT recordDNS

yourdomain.com. IN TXT "v=spf1 include:spf.protection.outlook.com include:_spf.google.com ~all"
yourdomain.com. IN TXT "v=spf1 include:spf.example.com include:spf.anotherexample.com include:spf.thirdexample.com include:spf.finalexample.com ~all"

The SPF 10-DNS-lookup limit

Beyond the character length of individual TXT strings, another critical DNS-related limit, particularly for email deliverability, is the 10-DNS-lookup limit for SPF records. This is not a character limit, but a rule that mandates an SPF record should not require more than 10 DNS queries to fully resolve. Each mechanism in your SPF record that requires a DNS lookup (e.g., include, a, mx, ptr, exists) counts towards this limit. You can read more about the SPF lookup limit explained from Mailhardener.

Exceeding this 10-lookup limit causes a PermError. This means that the receiving mail server cannot fully validate your SPF record, leading to authentication failures. As a result, your emails are more likely to be marked as spam or rejected, impacting your sender reputation and deliverability. This is a common issue, and you should understand how important this limit is

Consequences of exceeding the SPF 10-lookup limit

Email rejection or spam folder placement: Receiving mail servers cannot properly validate your sender, treating your emails as suspicious.
Damaged sender reputation: Consistent SPF failures negatively impact your domain's trustworthiness with ISPs.
Spoofing vulnerability: An invalid SPF record means unauthorized senders could more easily spoof your domain.

To address this, techniques like SPF flattening are used, where multiple include mechanisms are resolved to IP addresses and then listed directly in the SPF record, reducing the number of lookups required. Learn more about the SPF too many DNS lookups error from DuoCircle.

Strategies for managing record length

When you encounter DNS record length issues, especially with TXT records, there are several strategies to employ. The primary one is to ensure your record is correctly split into multiple strings if it exceeds the 255-character per string limit. Most DNS management interfaces handle this automatically when you enter a long string, but some older or less sophisticated systems might require you to manually segment it using quotation marks for each part.

For SPF records hitting the 10-lookup limit, SPF flattening is the most effective solution. This involves replacing include mechanisms with the actual IP addresses they resolve to, thus eliminating the need for additional DNS queries. While this can be done manually, it's often more practical to use a service that automatically flattens your SPF record and keeps it updated as the underlying IP addresses change.

Manual SPF flattening

Process: Manually resolve all 'include' mechanisms to IP addresses and add them to your SPF record.
Maintenance: Requires regular monitoring for IP address changes from your email service providers.
Risk: High risk of broken SPF records if not updated promptly, leading to deliverability issues.

Automated SPF flattening

Process: A third-party service manages and updates your flattened SPF record dynamically.
Maintenance: Minimal, as the service handles all updates and DNS propagation.
Reliability: Ensures your SPF record is always accurate and within the 10-lookup limit.

DKIM keys, especially longer 2048-bit ones, can also sometimes exceed DNS TXT record character limits. Similar to SPF, these lengthy keys are often provided by email service providers in a format that should be split into multiple strings by your DNS provider. If your provider struggles with this, consider whether 4096-bit DKIM keys are even feasible for you.

Addressing provider limitations

If your DNS provider imposes limits significantly smaller than the standard 255 characters per TXT string, or struggles with the necessary string concatenation, your options are limited but important. First, always reach out to your provider's support team. They might have a specific workaround, an advanced interface, or a way to manually configure the record for you. Sometimes, these limitations are due to outdated control panels or specific software versions, like cPanel, which has been known to barf on underscores in CNAMEs.

However, if the provider cannot accommodate standard DNS record requirements, it might be time to consider migrating your DNS hosting. Moving to a dedicated DNS provider, such as

Cloudflare,

Amazon Route 53, or

Google Cloud DNS, can offer greater flexibility and adherence to DNS standards, which is vital for robust email authentication and overall deliverability. Ensure you understand why your emails fail to reach the inbox.

Views from the trenches

Best practices

Always test DNS record changes before deploying to production environments.

Understand your DNS provider's specific limitations and unique features.

Regularly review all email authentication records (SPF, DKIM, DMARC, BIMI).

Common pitfalls

Assuming all DNS providers handle long records and lookups uniformly.

Exceeding the SPF 10-lookup limit, leading to email authentication failures.

Not accounting for specific provider quirks, such as issues with underscore characters in CNAME records.

Expert tips

Consider using an SPF flattening service for complex SPF records to maintain compliance.

If your current provider is restrictive, explore migrating to a more robust, dedicated DNS hosting service.

Segment long TXT records into multiple 255-character strings to comply with limits.

Marketer view

A marketer from Email Geeks says that a webhost provider sometimes states that an 87-character BIMI DNS record is too long, which can be a new and unexpected issue.

2022-07-20 - Email Geeks

Marketer view

A marketer from Email Geeks mentioned that many thought long DNS entries were no longer an issue, noting that 87 characters is well within the typical 255-character limit.

2022-07-20 - Email Geeks

Maintaining DNS compliance for email

Navigating the complexities of DNS record length limits is a critical aspect of email deliverability. While RFC standards provide a baseline, the practical implementation by various DNS providers can introduce unexpected challenges. Whether it's the 255-character per string limit for TXT records or the 10-DNS-lookup rule for SPF, understanding these constraints is essential.

By correctly splitting long records and implementing SPF flattening where necessary, you can mitigate most issues. However, if your current DNS provider consistently poses limitations that hinder your email authentication, exploring more robust DNS hosting solutions is a worthwhile investment to safeguard your sender reputation and ensure consistent inbox placement.