BLOG

SPF Fail: too many DNS lookups

I’ve had a couple folks come to me recently for help troubleshooting SPF failures. The error messages said the SPF record was invalid, but by all checks it was valid.

Eventually, we tracked the issue down to how many include files were in the SPF record.

The SPF specification specifically limits the number of lookups that can happen during a SPF check.

SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check, including any lookups caused by the use of the “include” mechanism or the “redirect” modifier. If this number is exceeded during a check, a PermError MUST be returned. The “include”, “a”, “mx”, “ptr”, and “exists” mechanisms as well as the “redirect” modifier do count against this limit. The “all”, “ip4”, and “ip6” mechanisms do not require DNS lookups and therefore do not count against this limit. Processing limits

Some senders are using include: records that then have include: records that then have yet other include: records. Looking up all these include records caused the SPF lookup limits to be reached, thus causing the SPF lookups to fail (all the records can’t be pulled). Note, a lot of SPF checks don’t actually comply with the SPF spec in this area. Because of the spotty compliance, some too long SPF records won’t fail everywhere.

How can you fix this?

  • Prune unnecessary :include files from the SPF record.
  • Use different domains for mail from different places so you don’t need one SPF record to rule them all.
  • Don’t publish SPF records, rely on DKIM for authentication. Even Hotmail is checking DKIM these days.
Every red line is a separate DNS lookup.

Every red line is a separate DNS lookup.

If you need to find out how many lookups your SPF record entails you can use the SPF checker at emailstuff.org. Enter in a domain in the box and hit go. Then click on the “DNS” tab to see the actual DNS lookups that are happening. Each red domain is a separate DNS lookup.

Secureserver.net has a lot of include: files and a lot of lookups. Because this is a checking tool, it doesn’t limit the number of queries (because that wouldn’t be useful). But in places that are implementing the spec correctly, and are refusing mail based on SPF failures, secureserver.net would experience mail failures.

20 comments

  1. steve says

    The RFC mandated limit is actually the number of entries in an SPF record that trigger a DNS lookup rather than the number of DNS lookups caused. They’re pretty similar, as each include, a, mx entry in the original SPF record or any included records will cause a DNS lookup. But the A and AAAA lookups required to expand an MX entry don’t (as I read the RFC) count against the limit.

    You’re relying on the implementation the receiver is using reading that limit the same way I do, though, which isn’t a given. Generally it’s better to just use ip4, ip6 and (where needed) include records and avoid a and mx entries, anyway.

  2. henry says

    Laura,

    You can send an email to mailtest@unlocktheinbox.com, it will check your spf and it verifies the lookup limit as well.

  3. Al Iverson says

    I demand one dollar in royalty for being the inspiration for this blog post!

  4. Steevo says

    Hm. I just checked two domains I work on and both have exactly 10 red lines.
    Somehow I think that doesn’t mean things are hunky dory.

    Not exactly sure what it does mean.

    I’d like to read some more about SPF. I read a lot but I really don’t exactly understand it very well.

  5. steve says

    Sounds like they’re fine, Steevo. http://emailstuff.org/rfc/4408 explains the details of SPF. I’m not sure if there’s a decent less deep coverage of it – probably not, as SPF is all about the fiddly details.

  6. Steevo says

    As a test I did them both differently, but they both seem to work.

    They are both on dsl lines, and are both smarthosted through my ISP.
    On one SPF record I put in the ISP server, on one I did not.
    The test I did last night shows this correctly.

    As I said they both work. I can’t see why that is.

    I wish I knew how to put DKIM on that. I am sure no programmer.

    BTW, I still use Sam Spade Personal. Shows you how darned old I am.

  7. Rhet says

    I am curious on the recommendation of only relying on DKIM.

    How will that hold up if I want to use DMARC? Wouldn’t I be in a position where I have a single point of failure for my legitimate mail?

    Thx.

  8. sharif says

    Hi,

    I am receiving the below error..i can see only 7 red lines, pls advice how can i fix this..

    Results – PermError SPF Permanent Error: Void lookup limit of 2 exceeded

    my spf record

    v=spf1 mx ptr mx:mail.domain1.com.sa ip4:192.0.0.1 mx:mail2.domain2.com.sa ip4:192.0.0.2 -all

    1. laura says

      I need to see the real SPF record to be able to provide any help with your issue.

  9. sharif says

    Hi Laura,

    Thanks for your help in this post.

    domain name – sasref.com.sa

    SPF checkup done – http://www.kitterman.com/getspf2.py

    Error received- Results – PermError SPF Permanent Error: Void lookup limit of 2 exceeded

    As so far my SPF record was working without any issue and suddenly by today i have this error and it is something new which i ever see in any article, i will appreciate you quick reply on this subject. Thanks..

  10. laura says

    Where is the error message from? Is it possible this is simply a transient DNS error?

  11. Cómo configurar un registro SPF | Hello, IT. says

    […] alguna ocasión te puedes encontrar con que un SPF devuelve este error permanente. Hay un límite de 10 resoluciones DNS para un registro SPF. Esto significa que en nuestro ejemplo, tendríamos las siguientes […]

  12. Russ says

    Hi,

    I receive this message:
    PermError SPF Permanent Error: Too many DNS lookups

    I ran that spf check you mention, and there were about 30 red domains listed on the DNS tab.
    What do I do?
    Any help appreciated.

  13. steve says

    Russ: You’ll want to reduce the number of queries required, using the techniques suggested in this post. Without seeing the records I can’t be more specific.

  14. Setting up an SPF record for a shared hosting service with lots of email gateways - TecHub says

    […] of 705 IP addresses. Nope: can’t have that many domains in my SPF record, as it would be too many DNS lookups as well as just too many […]

  15. Alan Doherty says

    anyone needing help with spf record sanity just subscribe to spf-help
    http://www.listbox.com/subscribe/?list_id=1020
    and ask us to diagnose/fix yours
    archives
    https://www.listbox.com/member/archive/1020/=now

    and some simple rules
    ptr (never ever sane to use)
    mx (never ever sane to use)
    a (unless followed by :somename, is always a sign of sloppy admin)
    if your spf commits any of the above it can and should be improved/fixed/tuned up

  16. What Marketers Need to Know About Healthy DMARC Setup » DemandLab: Total Revenue Marketing says

    […] have all IPs and/or record types defined with your SPF setup. It’s important to remember that the SPF standard can only handle 10 lookups, so if you have more than 10 different places sending emails with your domain, you may want to […]

  17. Bobby says

    We use spfproxy.org to fix this issue. You move your existing TXT record to _spfproxy.yourdomain.com and then replace your existing TXT for yourdomain.com with: “v=spf1 include:%{l}._l.%{i}._i.%{h}._h.%{d}._d.spfproxy.org ~all”

    It’s using a little known feature described in the SPF RFC to make this work.

  18. The E-Mail Marketing Pocket Bible – With Coach Paul says

    […] too many DNS lookups in your SPF Record. Use the Email Stuff Checker here to find out how many lookups yours […]

  19. 85 Dicas para melhorar a entregabilidade de seus e-emails – Agencia Peixe Digital says

    […] muitos DNS lookups no seu SPF Record. Use a ferramenta Email Stuff Checker here para saber quantos lookups o seu possui. Ele não deve […]

Comment:

Your email address will not be published. Required fields are marked *

Archives