DNS lookup limits on SPF records

It is easy to exceed the allowed number of DNS lookups

The most common SPF error made by organizations is having too many DNS-querying terms in their SPF record. The following SPF terms cause a DNS lookup:

• include
• a
• mx
• ptr
• exists
• redirect

Each time these terms are found within an SPF record and within the SPF records of any nested includes and redirects, it counts towards the 10-lookup limit. After the tenth lookup, SPF authentication will cease and fail.

You're often at the mercy of third-party senders' SPF records

There are cases where including a third-party sender in your record causes the lookup limit to be exceeded. For example, at the time of this writing, adding include:bluehost.com to your record adds nine out of the maximum ten lookups. The diagram below shows the various DNS lookups introduced by including this term in one's SPF record.

bluehost.com

│

├─── a:bluehost.com

│

├─── mx:bluehost.com

│

├─── ptr:bluehost.com

│

└─── include:spf2.bluehost.com

│

└─── include:_spf.google.com

│

├─── include:_netblocks.google.com

│

├─── include:_netblocks2.google.com

│

└─── include:_netblocks3.google.com

Nine DNS lookups introduced by the include:bluehost.com term.

The same number of lookups results from include:secureserver.net. If you had included either of these and then authorized other sending agents requiring multiple lookup terms, the DNS lookup limits for your record would be exceeded.

Fraudmarc can help

Fraudmarc uses SPF Compression℠ to minimize the number of DNS lookups required to authenticate all of your authorized senders. We continuously scan for changes to your ESP's records and update your records automatically. Our intuitive SPF tool gives you convenient control over your SPF policies without ever having to touch DNS records.