SPF Void Lookups Explained

The SPF void lookup limit as specified by RFC is currently 2. You can find this specification under RFC 7208 (section 11.1) which puts a limit on the number of SPF void lookups allowed per SPF check. If you’re here reading this article, chances are you have come across the following error message while handling the protocol or reviewing the DMARC report data for your emails:

PermError SPF Permanent Error: Void lookup limit of 2 exceeded

What is an SPF Void Lookup?

When a DNS lookup returns a void or null response while performing an SPF authentication check, it is termed an SPF void lookup. Not to be confused with the 10 DNS lookup limit, SPF void lookups are a separate category of error response that you may come across while handling SPF, altogether.

Why does this happen you may ask? If your SPF record contains an include mechanism that refers to an erroneous or malicious domain or IP address, that when looked up may return an empty or null response (NOERROR with no answers, or NXDOMAIN). RFC recommends the limitation of SPF void lookups like these to a maximum of 2 to prevent erroneous SPF records from becoming contributing factors in the initiation of Denial-of-Service attacks.

However, exceeding the SPF void lookup limit will lead to SPF PermError, resulting in SPF fail and therefore the possibility of your emails failing delivery.