SPF: The rule of ten
Some mechanisms and modifiers (collectively, “terms”) cause DNS queries at the time of evaluation, and some do not. The following terms cause DNS queries: the “include”, “a”, “mx”, “ptr”, and “exists” mechanisms, and the “redirect” modifier. SPF implementations MUST limit the total number of those terms to 10 during SPF evaluation, to avoid unreasonable load on the DNS. If this limit is exceeded, the implementation MUST return “permerror”.
This is the SPF rule of ten. It means that any SPF record that causes more than ten DNS queries (other than the original TXT query and any A record lookups triggered by “mx” terms) is not valid, and any attempt to authenticate SPF for email from the domain will lead to an error.
Ten queries seems like a lot. You probably only have an “mx” and a few “include” terms. That’s nowhere near ten.
But … the limit is the number of DNS-performing terms both in your SPF record and all the SPF records you include. That can add up quickly.
We – wordtothewise.com – have an SPF record that’s about as well optimized as it can be, given the services we use. We don’t use an “mx” term or any “a” terms, instead we include “ip4” and “ip6” terms for our mailservers. We use two external mail services – MailChimp and Zoho.
How many DNS-performing terms does that add up to? Six. Look at tools.wordtothewise.com/spf/check/wordtothewise.com and click on the “DNS” tab to see how it adds up that quickly.
We include “zoho.com” (1) which then includes “spf2.zoho.com” (2) and “spf.zoho.com” (3). We include “servers.mcsv.net” (4) which then includes “spf1.mcsv.net” (5) and “spf.mandrillapp.com” (6).
You can check your SPF records using our tool at tools.wordtothewise.com/spf. Want to see what a “too many DNS queries” error looks like? Check the SPF for “ebay.com“.
More later in the week about what you can do to reduce your SPF record size – particularly important if you’re providing records for your customers to include.