Back to Course
Լight modeDark mode

Understanding the 10 DNS Lookup Limit for SPF Records

 

  • Your SPF limit of 10 DNS Lookups can impact authentication. Every time you add a new ‘mechanism’ in your record, you require a new DNS lookup. You need to use mechanisms to add new IP addresses, thereby increasing the number of lookups for SPF.
     
  • If your organization relies on several third-party vendors to send emails from your domain, that’s more IPs to authorize. And the more IPs you want to authorize, the more mechanisms you need, resulting in even more DNS lookups. Starting to see the problem here?

 

  • Once your SPF record exceeds the 10 DNS Lookup limitation, you receive a ‘PermError SPF permanent error: too many DNS lookups’ result. This means the email receiver considers your SPF record invalid and automatically blocks it. This is how SPF PermError can serve to be detrimental to your business. You could be having email delivery issues without even knowing it.

Why does RFC specify this stringent SPF DNS lookup limit for domains?

While the SPF limit can appear to be quite an unwanted SPF limitation, it isn’t necessarily so. The SPF DNS lookup limit has been put in place to block Denial-of-Service attacks (as mentioned under RFC 7208).


For example, a threat actor creates an SPF record on a fake domain with reference to a legitimate corporate domain to send emails in bulk to various receiving servers. Owing to the SPF limit of 10 DNS lookups allowed (i.e. an ESP can query the sender’s DNS a total of 10 times per SPF check),can help mitigate Denial-of-Service attacks on the receiver’s side in these situations.


However, as stated above, this SPF DNS lookup limit can result in SPF permanent errors, inflicting more harm than good, making solutions like SPF flattening a mandatory addition.

How do too many DNS lookups impact your emails?

The answer is simple: if you exceed the SPF 10 lookup limit, that is if you have too many mechanisms in your SPF record so as to exceed the SPF limit of 10 per SPF check, it will lead to SPF failure for your emails. This is because as soon as you exceed the SPF limit, your record is rendered invalid. This returns an SPF PermError result. To avoid this the recommended solution is to flatten (shorten) your record and remove redundancy.


If you have DMARC implemented for your domains, the SPF permanent error is perceived by DMARC as an SPF failure. This can provoke the receiving server to prevent the email from reaching the recipient’s inbox. The only way to bypass this SPF limit is to keep your SPF DNS lookups restricted to a maximum of 10.


However, this isn’t as easy as it may appear. This is because if you’re running a business you would inevitably be outsourcing your email marketing campaigns, relaying messages via third-party vendors on a daily basis.

Course content
Advanced Email Authentication Course