I’ve had a couple folks come to me recently for help troubleshooting SPF failures. The error messages said the SPF record was invalid, but by all checks it was valid.
Eventually, we tracked the issue down to how many include files were in the SPF record.
The SPF specification specifically limits the number of lookups that can happen during a SPF check.
SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check, including any lookups caused by the use of the “include” mechanism or the “redirect” modifier. If this number is exceeded during a check, a PermError MUST be returned. The “include”, “a”, “mx”, “ptr”, and “exists” mechanisms as well as the “redirect” modifier do count against this limit. The “all”, “ip4”, and “ip6” mechanisms do not require DNS lookups and therefore do not count against this limit. Processing limits
Some senders are using include: records that then have include: records that then have yet other include: records. Looking up all these include records caused the SPF lookup limits to be reached, thus causing the SPF lookups to fail (all the records can’t be pulled). Note, a lot of SPF checks don’t actually comply with the SPF spec in this area. Because of the spotty compliance, some too long SPF records won’t fail everywhere.
How can you fix this?
- Prune unnecessary :include files from the SPF record.
- Use different domains for mail from different places so you don’t need one SPF record to rule them all.
- Don’t publish SPF records, rely on DKIM for authentication. Even Hotmail is checking DKIM these days.
If you need to find out how many lookups your SPF record entails you can use the SPF checker at emailstuff.org. Enter in a domain in the box and hit go. Then click on the “DNS” tab to see the actual DNS lookups that are happening. Each red domain is a separate DNS lookup.
Secureserver.net has a lot of include: files and a lot of lookups. Because this is a checking tool, it doesn’t limit the number of queries (because that wouldn’t be useful). But in places that are implementing the spec correctly, and are refusing mail based on SPF failures, secureserver.net would experience mail failures.
RSS - Posts
The RFC mandated limit is actually the number of entries in an SPF record that trigger a DNS lookup rather than the number of DNS lookups caused. They’re pretty similar, as each include, a, mx entry in the original SPF record or any included records will cause a DNS lookup. But the A and AAAA lookups required to expand an MX entry don’t (as I read the RFC) count against the limit.
You’re relying on the implementation the receiver is using reading that limit the same way I do, though, which isn’t a given. Generally it’s better to just use ip4, ip6 and (where needed) include records and avoid a and mx entries, anyway.
Laura,
You can send an email to mailtest@unlocktheinbox.com, it will check your spf and it verifies the lookup limit as well.
I demand one dollar in royalty for being the inspiration for this blog post!
Hm. I just checked two domains I work on and both have exactly 10 red lines.
Somehow I think that doesn’t mean things are hunky dory.
Not exactly sure what it does mean.
I’d like to read some more about SPF. I read a lot but I really don’t exactly understand it very well.
Sounds like they’re fine, Steevo. http://emailstuff.org/rfc/4408 explains the details of SPF. I’m not sure if there’s a decent less deep coverage of it – probably not, as SPF is all about the fiddly details.
As a test I did them both differently, but they both seem to work.
They are both on dsl lines, and are both smarthosted through my ISP.
On one SPF record I put in the ISP server, on one I did not.
The test I did last night shows this correctly.
As I said they both work. I can’t see why that is.
I wish I knew how to put DKIM on that. I am sure no programmer.
BTW, I still use Sam Spade Personal. Shows you how darned old I am.
I am curious on the recommendation of only relying on DKIM.
How will that hold up if I want to use DMARC? Wouldn’t I be in a position where I have a single point of failure for my legitimate mail?
Thx.
Hi,
I am receiving the below error..i can see only 7 red lines, pls advice how can i fix this..
Results – PermError SPF Permanent Error: Void lookup limit of 2 exceeded
my spf record
v=spf1 mx ptr mx:mail.domain1.com.sa ip4:192.0.0.1 mx:mail2.domain2.com.sa ip4:192.0.0.2 -all
I need to see the real SPF record to be able to provide any help with your issue.
Hi Laura,
Thanks for your help in this post.
domain name – sasref.com.sa
SPF checkup done – http://www.kitterman.com/getspf2.py
Error received- Results – PermError SPF Permanent Error: Void lookup limit of 2 exceeded
As so far my SPF record was working without any issue and suddenly by today i have this error and it is something new which i ever see in any article, i will appreciate you quick reply on this subject. Thanks..
Where is the error message from? Is it possible this is simply a transient DNS error?
[…] alguna ocasiĂ³n te puedes encontrar con que un SPF devuelve este error permanente. Hay un lĂmite de 10 resoluciones DNS para un registro SPF. Esto significa que en nuestro ejemplo, tendrĂamos las siguientes […]
Hi,
I receive this message:
PermError SPF Permanent Error: Too many DNS lookups
I ran that spf check you mention, and there were about 30 red domains listed on the DNS tab.
What do I do?
Any help appreciated.
Russ: You’ll want to reduce the number of queries required, using the techniques suggested in this post. Without seeing the records I can’t be more specific.
[…] of 705 IP addresses. Nope: can’t have that many domains in my SPF record, as it would be too many DNS lookups as well as just too many […]
anyone needing help with spf record sanity just subscribe to spf-help
http://www.listbox.com/subscribe/?list_id=1020
and ask us to diagnose/fix yours
archives
https://www.listbox.com/member/archive/1020/=now
and some simple rules
ptr (never ever sane to use)
mx (never ever sane to use)
a (unless followed by :somename, is always a sign of sloppy admin)
if your spf commits any of the above it can and should be improved/fixed/tuned up
[…] have all IPs and/or record types defined with your SPF setup. It’s important to remember that the SPF standard can only handle 10 lookups, so if you have more than 10 different places sending emails with your domain, you may want to […]
We use spfproxy.org to fix this issue. You move your existing TXT record to _spfproxy.yourdomain.com and then replace your existing TXT for yourdomain.com with: “v=spf1 include:%{l}._l.%{i}._i.%{h}._h.%{d}._d.spfproxy.org ~all”
It’s using a little known feature described in the SPF RFC to make this work.
[…] too many DNS lookups in your SPF Record. Use the Email Stuff Checker here to find out how many lookups yours […]
[…] muitos DNS lookups no seu SPF Record. Use a ferramenta Email Stuff Checker here para saber quantos lookups o seu possui. Ele nĂ£o deve […]
[…] E para mais informações sobre o assunto, veja esse artigo. […]
[…] E para mais informações sobre o assunto, veja esse artigo. […]
[…] Para mĂ¡s informaciones sobre el tema, lee este artĂculo. […]
If you are having the issue of exceeding the 10-DNS-lookup limit, you can try our Safe SPF feature, which is purpose-built to solve this very issue.
Find out more at: https://dmarcly.com/blog/does-your-spf-record-exceed-the-10-dns-lookup-limit.