Forum Discussion

Jeff Harlow's avatar
Jeff Harlow
Iron Contributor
Apr 09, 2019

Record contains too many lookups (SPF Records)

I am curious how others are handling SPF records with multiple active vendors. We have several vendors that send emails on our behalf, so I add them to our SPF record. However we always have more than 10 lookups. Heck Salesforce takes up 7, and that is only one.   Is there something I am missing here? Is this an error that can be ignore?  

  • DougBartley's avatar
    DougBartley
    Copper Contributor

    Jeff Harlow  Jeff we had similar issues as you and found that we had to 'flatten' our SPF records.   What we ended up doing was creating multiple txt records in DNS for this.   We started with the original txt entry with the domain name, and then added spf1 and spf2 txt records.   Inside the main record you then reference these other two records.   The biggest issue becomes the domain names which count toward your total of 10.   In our case we used the SPF survey site listed below which helps to flatten your records by using IP address ranges.   

     

    Our Main SPF Record:
    v=spf1 include:spf.protection.outlook.com include:spf.somesite.net include:anotherSite.com include:spf1.ourDomainName.com include:spf2.ourDomainName.com ~all

     

    SPF1 and SPF2 would look like this with all IP's.   We got these ranges with the help of the Dmarcian site

    SPF1

    v=spf1 ip4:1.2.3.4/20 ip4:9.8.7.6/28 ip4:1.2.3.4/20 ip4:9.8.7.6/28 ip4:1.2.3.4/20 ip4:9.8.7.6/28

     

    SPF2

    v=spf1 ip4:1.2.3.4/20 ip4:9.8.7.6/28 ip4:1.2.3.4/20 ip4:9.8.7.6/28 ip4:1.2.3.4/20 ip4:9.8.7.6/28

     

    https://dmarcian.com/spf-survey/

    • Jeff Harlow's avatar
      Jeff Harlow
      Iron Contributor

      DougBartley  Wouldnt flattening the IPs cause issues in the future when IP addresses change? DNS would seem like it would be better to manage.  Servers can often change IP addresses and that information does not always get reported back from a vendor to a client. 

    • invidia's avatar
      invidia
      Copper Contributor

      DougBartley Thanks! Used https://dmarcian.com/spf-survey/ to flatten SPF into three TXT records and worked perfectly. Have tested all third-party email sending platforms we use with our domain using http://tools.bevhost.com/spf/ and SPF is reporting pass on all, including for Office 365 (previously using include:spf.protection.outlook.com). Now on to using dmarcian to configure and transition to full DMARC!

Resources