Why is my SPF record too long and how to manage DNS TXT record length limits?

Key findings

• TXT record length: While an SPF record itself might appear short in characters, the actual length limitation applies to the entire DNS TXT record, which includes the v=spf1 declaration and all included mechanisms.
• Byte count matters: The 255-character limit for a single TXT string is actually a byte limit, which means special characters can consume more than one byte, reducing the effective character count. If your record exceeds this, it needs to be split into multiple quoted strings within the same record.
• DNS lookup limit: The more common and critical issue is the 10-DNS lookup limit. Each mechanism in your SPF record that requires a DNS lookup (e.g., include, a, mx) counts towards this limit. Exceeding it results in a SPF PermError.
• Impact on deliverability: A broken SPF record, whether due to character or lookup limits, can cause emails to fail authentication, increasing the likelihood of them being marked as spam or rejected by recipient mail servers.

Key considerations

• Consolidate records: If you have multiple SPF records (which is technically invalid and can cause issues), consolidate them into a single record. RFC 7208 specifies that a domain must not have multiple SPF TXT records.
• Use subdomains: Consider using subdomains for different sending services, each with its own SPF record. This helps manage the lookup count for your primary domain.
• Utilize SPF flattening: SPF flattening is a technique where included domains are resolved to their IP addresses at the time the SPF record is generated, reducing the need for multiple DNS lookups during validation. This can significantly alleviate lookup limit issues.
• Remove unnecessary records: Review your DNS TXT records for old or unused entries, especially verification records (like Google Site Verification) that might be contributing to overall TXT record size. For Google verification, a CNAME alternative is often available and preferred.

Key opinions

• Complexity grows with services: As marketers onboard more sending platforms, their SPF records tend to expand rapidly, making it difficult to stay within the 10-lookup limit without careful management.
• Character vs. lookup confusion: Many marketers initially confuse the 255-character limit for a single TXT string with the SPF lookup limit, only realizing the difference after troubleshooting authentication failures.
• Hidden TXT records: Non-SPF related TXT records, such as domain verification codes, can contribute to the overall byte length of the DNS TXT record for the root domain, unknowingly pushing it over limits.
• Impact on deliverability: SPF validation failures are a common cause of emails landing in spam folders or being outright rejected, negatively impacting campaign performance and sender reputation.

Key considerations

• Audit regularly: Periodically review your SPF record and other TXT records to remove outdated or unnecessary entries, like old domain verification strings or unused ESP includes.
• Prioritize includes: Only include sending services that genuinely need to send email on behalf of your domain. If a service rarely sends, consider if it's truly essential to include it in your primary SPF record.
• Leverage subdomains: For different types of email (e.g., transactional, marketing, internal), use distinct subdomains. Each subdomain can have its own SPF record, helping to distribute the lookup load and keep the root domain's SPF concise. Find out more about DMARC record placement for subdomains.
• Use DNS tools: Utilize online SPF record validators and DNS lookup tools to regularly check your SPF record's length and lookup count. This proactive approach can prevent deliverability issues before they impact campaigns.

Key opinions

• Lookup limit is critical: The 10-DNS lookup limit is the most common reason for SPF records being flagged as "too long" and resulting in failures, not just the character length of the TXT record itself.
• Beware of indirect lookups: Mechanisms like include and mx can lead to multiple nested lookups, quickly consuming the allowed limit. Each A record or MX record within an included domain also counts.
• Single SPF record rule: Having multiple SPF records on a single domain is a common misconfiguration that leads to SPF failures, as only the first SPF record encountered will be used, and subsequent ones will be ignored.
• TXT record byte size: While less frequent, exceeding the 255-byte limit for a single TXT string (or 512 bytes for the total record, depending on DNS software) requires splitting the string into multiple quoted parts within the same record, even for non-SPF TXT records.

Key considerations

• SPF flattening: This technique involves replacing include mechanisms with the resolved IP addresses of the included domains, effectively reducing DNS lookups at validation time. This is a powerful method for managing lookup limits.
• Dedicated sending subdomains: Experts advise using distinct subdomains (e.g., m.yourdomain.com) for marketing, transactional, or other email streams. Each subdomain can have its own SPF record, preventing the root domain's SPF from becoming overly complex and exceeding limits. This helps to avoid issues like SPF TempError.
• DNS optimization: Prioritize direct ip4 and ip6 mechanisms over include mechanisms where possible to reduce lookups. Remove ptr mechanisms, as they are rarely needed and cause additional lookups.
• Leverage CNAMEs for verification: Whenever an alternative verification method via CNAME is available (e.g., for Google services), use it instead of adding more TXT records to the root domain. This keeps the valuable root TXT space clear for authentication records. This relates to how to resolve "CharacterStringTooLong" errors.

Key findings

• TXT record string length: DNS TXT records are limited to 255 characters (bytes) per string literal. If the content, such as an SPF record, exceeds this, it must be split into multiple concatenated strings enclosed in double quotes within the same record.
• 10-DNS lookup limit: RFC 7208 states that SPF validation must not perform more than 10 DNS lookups that resolve SPF mechanisms (a, mx, ptr, exists, and include).
• PermError consequence: Exceeding the 10-lookup limit results in a SPF PermError, indicating that the SPF record is malformed or too complex to validate, and the authentication will fail.
• Single SPF record requirement: A domain must not have multiple SPF TXT records published; only the first one encountered during validation will be used, rendering others ineffective. This can be a source of broken SPF records.

Key considerations

• Concatenation for long strings: If an SPF record's string exceeds 255 characters, it should be broken into multiple double-quoted strings, which DNS will automatically concatenate. For example, "v=spf1 include:_spf.example.com" "include:_spf2.example.org ~all".
• Minimize lookups: To stay within the 10-lookup limit, use IP addresses directly with ip4 or ip6 mechanisms where possible, rather than relying on multiple include statements that trigger additional lookups. For DNS record placement, consult this guide.
• Avoid ptr mechanism: The ptr mechanism is deprecated and inefficient, requiring reverse DNS lookups that count against the 10-lookup limit and can cause performance issues.
• Use DMARC for reporting: Implement DMARC alongside SPF to receive reports on authentication failures, including SPF PermErrors. These reports provide visibility into whether your SPF record is failing due to length or lookup issues. Learn more about how to fix SPF lookup limit errors.