Frequently Asked Questions
This article contains information on SPF Delegation, addressing FAQs about setup, lookup limitations, record management, redirect mechanisms, and troubleshooting to optimize email authentication and simplify SPF record updates.
| Q: | Do I need support from my DNS Manager / Hosting company? |
| A: | Enabling SPF Delegation is only a one-time setup. The current SPF record configuration must be updated to set up SPF Delegation, which must be published by the DNS Manager or hosting company. |
| Q: | Can domains have multiple SPF records? |
| A: | A domain name cannot have multiple SPF records. If you want to add more sources (for more applications), you’ll need to update the existing record or (if the record does not exist yet) create a new record with multiple entries. |
| Q: | What is an SPF lookup? |
| A: | All mechanisms a configured that cause a DNS record lookup. The following mechanisms are recognized as lookups: an MX include requires that any ‘nested’ lookups that will also count. By default, an SPF record is limited to 10 ‘lookups’ to reduce the load on the email receivers’ side. By exceeding the lookup threshold, all items after the 10th lookup may (and probably will) not count as valid SPF sources. |
| Q: | How to avoid the SPF lookup limitation? |
| A: | Thorough management and in-depth knowledge of SPF are required to avoid problems with the DNS lookup limitation. Not exceeding the lookup limitation can be challenging when having multiple sending sources (payment providers, CRM systems, email marketing programs, project management tools, security solutions, etc.) sending emails on behalf of an organization. SPF delegation allows users to overcome the lookup limitation by compressing the SPF record and required SPF lookups, adding virtually unlimited lookups to an SPF record. |
| Q: | How to host and manage SPF records? |
| A: | SPF records are set up on a domain and are managed by the IT department. SPF record management can be costly and is not without risk. Adding a new sending vendor is usually the responsibility of the email team, who will hand it over to the IT department and finally to the DNS manager. Since multiple departments must be consulted, making DNS changes can lead to error-prone and unnecessarily expensive procedures that occur each time your organization adds or removes email vendors. SPF delegation allows users to Host and Manage their SPF records. |
| Q: | How long does it take for you to recognize it when a source makes a change in its IP range? How quickly will the SPF delegation record get updated? |
| A: | As part of the monitoring process, the SPF Delegation services will perform background checks on configured sources included in the SPF. When a source changes the monitored SPF record, this change will be processed, and the delegated SPF record will be updated accordingly. Just as fast as a regular SPF record will be updated when a regular include changes its IP range. |
| Q: | Why does the Delegated SPF record not end with the ‘all’ mechanism? |
| A: | When configured for the first time, an updated SPF record is provided. This SPF record is utilizing a redirect mechanism that informs the organization that is performing the SPF check to be redirected to the delegated record. The updated record does not include an ‘all’ mechanism because the full record is redirected. Any changes to the updated record may cause issues with the SPF Delegation configuration. |
| Q: | Can we add includes, IPs, etc., before/after the ‘redirect’? |
| A: | No, to ensure SPF Delegation is configured correctly, we advise using the DNS. It is possible to add entries before the redirect. Placing it after will provide errors and is not advised. We do not recommend making any updates. However, all updates should be added to the SPF Delegation manager. This ensures the record gets compressed correctly and is as efficient as possible. |
| Q: | Can publishing the redirect record cause any errors? |
| A: | As a redirect is a valid SPF entry, publishing this record will not cause errors. There are, however, sending sources (very few) that will only authenticate emails with SPF/DKIM when they see that their specific SPF included is listed in the SPF record. As the redirect will change all includes to single IP entries, this can cause problems for them. This is, however, very rare and can be resolved by adding the specific include before the redirect entry. |
| Q: | Can labels be added to servers? |
| A: | Yes, you can add labels with a description of the service for which the server is specified. |
| Q: | How long does it take before the SPF record is active? |
| A: | That depends on the TTL (Time-To-Life) set within the domain’s DNS. |
| Q: | How to add new servers |
| A: | The image below shows how servers can be added to the SPF record. |
Comments
Please sign in to leave a comment.