Sender Policy Framework, or SPF, is an established and customary email authentication standard that is widely used by domain owners to validate inbound and outbound messages. SPF exists within the DNS of your domain as a DNS TXT record, and contains a list of all the valid IP addresses that are authorized to send emails from your domain.
Whenever a mailbox provider tries to validate an email using SPF, it performs a DNS query by requesting information for the domain from the DNS. This is what is called a DNS lookup. Everytime a DNS lookup is performed, it requires the usage of a substantial amount of computer resources. This is why SPF specification has limited the number of DNS lookups to a maximum of 10. Performing DNS lookups is a part of the SPF authentication procedure that helps in safeguarding receiving servers from denial of service attacks. However the SPF hard limit causes a significant amount of issues.
Note that mechanisms like : include, a, mx, ptr, exists, and redirect initiate DNS lookups.
How Can the 10 DNS Lookup Limit Affect You?
As soon as you exceed the 10 DNS lookup limit for SPF, your email inevitably fails SPF check even if it originates from an authorized IP address. In such cases if your DMARC policy is at enforcement, your legitimate emails can get quarantined or not delivered at all. That can heavily impact email deliverability.
Previously, when email senders used to run their own email infrastructure, outmaneuvering the 10 DNS lookup limit was easy. However, with the increase in cloud-based email services and several third-party vendors that send emails on behalf of domain owners, exceeding the limit has become increasingly common. Moreover, include statements with nested IP addresses also add to the DNS lookups making it easier to exceed the limit.
Every email service provider adds complexity and can cause you to exceed the DNS lookup limit. If you are using Gmail for email transfer, it generates 4 DNS lookups, Office 365 generates 2, and so on. As soon as the SPF hard limit is exceeded, SPF breaks and an SPF PermError result is returned to your domain.
Popular SPF Solutions and Their Subsequent Limitations
The most commonly used solution to mitigate SPF PermError and avoid exceeding the 10 DNS lookup limit is known as “SPF flattening”. This is simply the process of replacing all the domains in your SPF record with their respective IP addresses, thereby eliminating the need to perform DNS lookups. As advantageous as it may sound, manually flattening your SPF has problems of its own. They are:
- Email service providers may change their IP addresses without informing you
- Email service providers may add to their IP addresses without informing you
- You need to constantly update your SPF record and monitor changes made by your email service providers in their IP addresses
- The length of the manually flattened record may exceed 255 characters
All of this can invalidate your SPF record and lead to SPF failure. This is why manual SPF flattening is not recommended as a fool-proof solution to stay under the lookup limit.
Automated and Dynamic SPF Flattening with PowerSPF
PowerDMARC aims at solving industry problems faced over the years with advanced solutions around them. PowerSPF is a Dynamic SPF and automated SPF flattening service that replaces all your mechanisms with a single include statement, so that you always stay under the 10 DNS lookup limit. PowerSPF provides you with:
- Automatic and real-time SPF flattening
- A flattened SPF record with a single include statement by removing redundant or nested IP addresses
- Checks that run continuously to ensure that your authorized IP addresses are always up-to-date, without any intervention from your side
- A user-friendly dashboard to monitor activities and add or change mechanisms with just a few clicks
- Effortless addition of new senders or domains with just a few clicks
Shift to a more effortless and automated approach towards SPF implementation and ensure that you never exceed the SPF 10 lookup limit, by signing up with DMARC Analyzer!