Forum Discussion

Jeff Harlow's avatar
Jeff Harlow
Iron Contributor
Apr 09, 2019

Record contains too many lookups (SPF Records)

I am curious how others are handling SPF records with multiple active vendors. We have several vendors that send emails on our behalf, so I add them to our SPF record. However we always have more tha...
exchange online
VasilMichev's avatar
VasilMichev
MVP
Apr 10, 2019

Jeff Harlow Simply create a separate record for another domain and use it to send those messages.

 

DougBartley multiple SPF records for the same domain are NOT supported.

  • DougBartley's avatar
    DougBartley
    Copper Contributor
    Apr 10, 2019

    VasilMichev We have a single SPF record setup in DNS and then 2 TXT records that are referenced in the SPF record.  All records are read as one by recipient servers and we have a valid SPF record with 10/10 lookups.  It has worked for what we are doing and we have not had issues with any vendors switching or adding IP's.  Most have a large block of IP's and adding the entire block has worked fine.    Also, most of these emails being sent are for our marketing department so they are not critical emails.  

     

    sampledomain.com TXT
    v=spf1 include:spf1.sampledomain.com include:spf2.sampledomain.com include:spf3.sampledomain.com -all

     

    spf1.sampledomain.com TXT
    v=spf1 a mx a:mail.domain.com a:mail.domain.ie a:server5.somedomain.com

     

    spf2.sampledomain.com TXT
    v=spf1 server7.somedomain.com mx:server95.somedomain.com include:thatdomain.com

     

    • VasilMichev's avatar
      VasilMichev
      MVP
      Apr 10, 2019

      DougBartley got ya, it's my fault for not reading your full reply. However, in this scenario the 10 DNS lookups limit still applies, and it's actually magnified by the additional includes you've added. The only benefits you get are for adding large number of IP blocks. For example, none of those 3 separate records exhausts the 10 lookups, but when you combine them together, you invalidate the record:

       

      v=spf1 include:spf.protection.outlook.com include:_spf.google.com include:amazon.com -all

       

      Jeff Harlow why wouldn't they, all you need to do is tell the vendor that you want those messages being sent from say user@marketing.domain.com instead of user@domain.com.

      • DougBartley's avatar
        DougBartley
        Copper Contributor
        Apr 10, 2019

        VasilMichev  Jeff I'd have to agree that if you can use Vasil's approach it would be much easier to manage.   Hopefully you don't have a marketing department that fails to consult with IT before they decide to do things.   Then you are stuck with trying to make it work like we did.  

  • Jeff Harlow's avatar
    Jeff Harlow
    Iron Contributor
    Apr 10, 2019

    VasilMichev  I know we had to create a sub domain for a certain task; I wonder if those will work for sending email out from? Otherwise, I am at a loss. They make it sound as if you should have active vendors sending emails but companies do. We are a small business and yet we have 4 different vendors that send emails on our behalf. I cannot imagine what larger corporations do.  Several vendors may even send on behalf of users, so different domains may not be a valid solution.  I will have to check on how those are to verify.  Not sure why SPF records have such a low limit. 

     

Resources