The SPF specification limits the number of DNS lookups to 10. This limit helps reduce the amount of resources used by mailbox providers when checking SPF records. If you exceed this limit, you will fail an SPF check. A DNS lookup requires the mailbox provider to request information for a domain from the DNS, which leads to slower processing times and the use of more computer resources. These issues are why the limitation exists.
Here are the mechanisms and modifiers that do DNS lookups:
- ptr (do not use)
There are different ways you can avoid reaching the 10 DNS lookup limit. Here are some common practices:
Avoid unnecessary include statements
An include statement is a mechanism in your SPF record that redirects the DNS lookup to another domain’s SPF record to verify any of their authorized IPs. Each include statement, in the original SPF record and in any of the SPF records redirected to, is counted toward the limit of 10.
For example, ABC Corp’s SPF record has an include statement referencing example.com’s SPF record, which has an include statement for Google.com’s SPF record. This would result in two lookups counted in ABC Corp’s 10 lookup limit.
In order to not exceed the limit of 10, ensure each include statement in your SPF record is necessary and could not be replaced with another mechanism, such as the ip4 and ip6 mechanisms.
Use ip4 and ip6 mechanisms
One way to reduce the amount of DNS lookups is to replace your include statement with the ip4 or ip6 mechanism, when you have the option. The ip4 and ip6 mechanisms are used to list a static IP range in your SPF record. This eliminates the a need for an include statement that references another domain’s SPF record.
For example, here is an SPF record with an include statement:
v=spf1 ip4:192.168.0.1/16 include:mail.example.com ~all
v=spf1 ip4:22.214.171.124/24 ~all
In this example, mail.example.com’s SPF record contains a static IP range (126.96.36.199/24). This range is not going to be constantly changing so the SPF record for example.com does not need the include statement at all. And it can be replaced with the ip4 mechanism.
See the difference below:
v=spf1 ip4:192.168.0.1/16 ip4:188.8.131.52/24 ~all
The new SPF record does zero lookups because it no longer has the include statement. This can help you limit the number of DNS lookups if you are using other include statements.
Remove mechanisms that resolve to the same domain
Another way to avoid unnecessary DNS lookups is to remove any mechanisms from your SPF record that resolve to the same domain.
For example, ABC Corp’s SPF record references both gmail.com and example.com’s SPF record. However, example.com’s SPF record already has an include statement for gmail.com. This means that ABC Corp only needs an include statement for example.com.
Avoid ptr mechanisms
SPF specification recommends you do not to use the ptr mechanism in your SPF record. The ptr mechanism is a type of DNS record that resolves an IP address to a domain or hostname.
You should avoid using the ptr mechanism because it can result in a large number of DNS lookups, which will cause you to quickly reach the limit of 10.
Remove legacy partner and vendor domains
You should remove any include statements that redirect the SPF check to a vendors or partners’ SPF record who no longer send email on your behalf. Removing these eliminates unnecessary DNS lookups.
Senders use include statements to redirect the SPF check to a vendor or partner’s SPF record whose IPs often change. Using the include statement of a partner or vendor means the sender does not have to consistently update those changing IP ranges in their own SPF record.
Reference only actively sending domains
You should also make sure that any domains you reference resolve to an active SPF record otherwise they should be removed.
Check out your SPF record
If you are curious whether or not your SPF record is over the 10 lookup limit or want to see how many it currently has, use Proofpoint’s SPF Check Tool.