Record contains too many lookups (SPF Records)

Iron Contributor

I am curious how others are handling SPF records with multiple active vendors. We have several vendors that send emails on our behalf, so I add them to our SPF record. However we always have more than 10 lookups. Heck Salesforce takes up 7, and that is only one.   Is there something I am missing here? Is this an error that can be ignore?  

11 Replies

@Jeff Harlow  Jeff we had similar issues as you and found that we had to 'flatten' our SPF records.   What we ended up doing was creating multiple txt records in DNS for this.   We started with the original txt entry with the domain name, and then added spf1 and spf2 txt records.   Inside the main record you then reference these other two records.   The biggest issue becomes the domain names which count toward your total of 10.   In our case we used the SPF survey site listed below which helps to flatten your records by using IP address ranges.   

 

Our Main SPF Record:
v=spf1 include:spf.protection.outlook.com include:spf.somesite.net include:anotherSite.com include:spf1.ourDomainName.com include:spf2.ourDomainName.com ~all

 

SPF1 and SPF2 would look like this with all IP's.   We got these ranges with the help of the Dmarcian site

SPF1

v=spf1 ip4:1.2.3.4/20 ip4:9.8.7.6/28 ip4:1.2.3.4/20 ip4:9.8.7.6/28 ip4:1.2.3.4/20 ip4:9.8.7.6/28

 

SPF2

v=spf1 ip4:1.2.3.4/20 ip4:9.8.7.6/28 ip4:1.2.3.4/20 ip4:9.8.7.6/28 ip4:1.2.3.4/20 ip4:9.8.7.6/28

 

https://dmarcian.com/spf-survey/

The best workaround is to use a separate domain/subdomain for such emails. 

@DougBartley  Wouldnt flattening the IPs cause issues in the future when IP addresses change? DNS would seem like it would be better to manage.  Servers can often change IP addresses and that information does not always get reported back from a vendor to a client. 

@Vasil Michev Can you elaborate on this one, please? 

@Jeff Harlow Simply create a separate record for another domain and use it to send those messages.

 

@DougBartley multiple SPF records for the same domain are NOT supported.

@Vasil Michev  I know we had to create a sub domain for a certain task; I wonder if those will work for sending email out from? Otherwise, I am at a loss. They make it sound as if you should have active vendors sending emails but companies do. We are a small business and yet we have 4 different vendors that send emails on our behalf. I cannot imagine what larger corporations do.  Several vendors may even send on behalf of users, so different domains may not be a valid solution.  I will have to check on how those are to verify.  Not sure why SPF records have such a low limit. 

 

@Vasil Michev We have a single SPF record setup in DNS and then 2 TXT records that are referenced in the SPF record.  All records are read as one by recipient servers and we have a valid SPF record with 10/10 lookups.  It has worked for what we are doing and we have not had issues with any vendors switching or adding IP's.  Most have a large block of IP's and adding the entire block has worked fine.    Also, most of these emails being sent are for our marketing department so they are not critical emails.  

 

sampledomain.com TXT
v=spf1 include:spf1.sampledomain.com include:spf2.sampledomain.com include:spf3.sampledomain.com -all

 

spf1.sampledomain.com TXT
v=spf1 a mx a:mail.domain.com a:mail.domain.ie a:server5.somedomain.com

 

spf2.sampledomain.com TXT
v=spf1 server7.somedomain.com mx:server95.somedomain.com include:thatdomain.com

 

spf.png

@DougBartley got ya, it's my fault for not reading your full reply. However, in this scenario the 10 DNS lookups limit still applies, and it's actually magnified by the additional includes you've added. The only benefits you get are for adding large number of IP blocks. For example, none of those 3 separate records exhausts the 10 lookups, but when you combine them together, you invalidate the record:

 

v=spf1 include:spf.protection.outlook.com include:_spf.google.com include:amazon.com -all

 

@Jeff Harlow why wouldn't they, all you need to do is tell the vendor that you want those messages being sent from say user@marketing.domain.com instead of user@domain.com.

@Vasil Michev  Jeff I'd have to agree that if you can use Vasil's approach it would be much easier to manage.   Hopefully you don't have a marketing department that fails to consult with IT before they decide to do things.   Then you are stuck with trying to make it work like we did.  

@DougBartley Thanks! Used https://dmarcian.com/spf-survey/ to flatten SPF into three TXT records and worked perfectly. Have tested all third-party email sending platforms we use with our domain using http://tools.bevhost.com/spf/ and SPF is reporting pass on all, including for Office 365 (previously using include:spf.protection.outlook.com). Now on to using dmarcian to configure and transition to full DMARC!

If your willing to pay this might be another option for the automatic flatting of the spf record. 

 

https://autospf.com/