Home / server / Questions / 894056
Accepted
userSteve
Asked: 2018-01-26 03:34:24 +0800 CST

What is the consequence of SPF error 'Too many lookups'?

  • 772

I am adding a domain (xero.com) to our existing SPF record, to allow marketing emails to be sent from an external system and appear as if they are from us.

The SPF record for xero.com is large and including it would take our own SPF record over the 10 lookup limit, resulting in error Permanent Error: Too many DNS lookup

This is unfortunate, but what effect if any does this error actually have (for both hard and soft fail)? Will it prevent any mail being sent, or allow all, or just ignore this included domain?

In addition to this, we advise some of our clients to include our domain in their SPF records so we can send mail on their behalf.

Could increasing the included domains on our SPF record have a negative impact on theirs?

Conversely, if I get round this problem by setting our SPF record to v=spf1 +all to allow everything, could this also have an undesired effect for our clients that might use our domain in their SPF record?

domain-name-system

3 Answers

  1. Best Answer

    The effect is that your SPF record is ignored. Please do the following. Your SPF record requires 6 lookups excluding any MX and A records included in the record. (An MX record lookup may result in 2 or more lookups.)

    • Use IPv4 or IPv6 addresses ranges in your SPF record not names. This will prevent additional lookups.
    • Don't include MX if you are providing IP addresses for the servers.
    • You are using google as the MX, which is handled by the include:_spf.google.com entry. You don't need the MX specification.

    Consider setting up DMARC with a reporting address so you can determine if you could set a -all policy. You will get reports on how well you are following your policy and failure rates. Use a report disposition until the only failure reports you get are for email that does not originate from your domain. Don't set your SPF policy to -all until you are sure you have listed all the valid senders in your SPF record.

    • 2

  2. Stop that right now! :)

    1) never give customer's your SPF record for your marketing, Always use a subdomain.

    _spf.example.com for example, are IP ranges you control and provide to customer's.

    2) limit your exposure or remove SPF entirely. +all (in practice is likely ignored) says you authenticated all IP ranges, whereas ?all is much safer.

    3) marketing systems don't need your business email domain. If you're going to have multiple marketing backends you should have multiple subdomains. Typically they (ESPs) push for this, sg.example.com for sendgrid, mg.example.com for mailgun, etc...

    4) remove redundant lookups, aand mx are likely addresses you know.

    • 1

  3. The SPF specification requires that the number of mechanisms and modifiers that do DNS lookups must not exceed 10 per SPF check, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier. Otherwise, an SPF PermError, more specifically "SPF PermError: too many DNS lookups", is returned.

    The SPF PermError: too many DNS lookups issue is interpreted by DMARC as fail. Therefore, when your SPF record falls foul of this limit, and DKIM also fails, your emails will fail DMARC authentication, which means your emails are not properly authenticated and might not reach the inbox.

    I've created a blog post on this topic: SPF PermError: too many DNS lookups

    • 0