DMARC Analyzer - SPF Record Entries

Updated

This article contains information on managing a domain's SPF record, including adding multiple sources, reducing lookups, handling the 255-character limit, and resolving "Maximum Lookups Exceeded" errors to ensure proper email authentication.

A domain name can’t have multiple SPF records. If you want to add more sources (for more applications), you’ll need to update the existing record or (if the record does not exist yet) create a new record, using a subdomain with multiple entries.

Multiple Source SPF Records

You can add multiple sources to an SPF record. The total length of the record, however, cannot be longer than 255 characters.

Example SPF Record with Multiple Entries

domain.com TXT
v=spf1 a mx a:mail.domain.com a:mail.domain.ie a:server5.somedomain.com -all

If you need to create a record that exceeds the maximum of 255 characters, you must create multiple SPF records by adding them to subdomains that you include in the main domain record. This is shown in the example below:

  1. Subdomain 1:
spf1.testdomain.com TXT
v=spf1 a mx a:mail.domain.com a:mail.domain.ie a:server5.somedomain.com -all
  1. Subdomain 2:
spf2.testdomain.com TXT
v=spf1 server7.somedomain.com mx:server95.somedomain.com include:thatdomain.com -all
  1. Subdomain 3:
spf3.testdomain.com TXT
v=spf1 ip4:192.168.0.1 ip4:192.168.0.2 -all
  1. Then amend the initial SPF as follows:
testdomain.com TXT
v=spf1 include:spf1.sampledomain.com include:spf2.sampledomain.com include:spf3.sampledomain.com -all"

Error - 'Maximum Lookups Exceeded'

SPF records only allow 10 ‘lookups’ to reduce the load on the email receivers' side. The following mechanisms count as lookups:

  •  
    • a
    • mx
    • include
    • ptr
    • exists

 The ‘nested’ lookups also count. If you exceed this threshold, the items after the 10th lookup may (/probably will) not count as valid SPF sources.

Reducing Lookups

The number of SPF lookups can be reduced by:

  •  
    • Cleaning up your record: Sometimes there are duplicate mechanisms in the record (for instance, an MX record to Google Apps and an include from Google SPF)
    • Use subdomains for specific email flows. If you set up a subdomain for specific flows, you get another 10 lookups for the SPF record for that subdomain.
    • Check if you’re using the correct included domains. Some third-party senders occasionally change their usage of SPF. Perhaps you’re using an old setup which leads to additionally included domains (perhaps an include that is redirected to a new URL)
    • Use SPF macros (advanced)

Using DNS Delegation

Use the SPF record checker to check how many lookups are in a specific SPF record. If there are too many SPF lookups, you can use the SPF delegation tool to resolve the “Too many lookups” issue and replace your existing policy with the one provided by the DNS delegation tool. The DNS delegation tool will keep the SPF record up to date whenever one of the included ESPs changes its records.

Related to

Was this article helpful?
1 out of 2 found this helpful

Comments

0 comments

Please sign in to leave a comment.