Too many DNS lookups in an SPF record

I recently noticed I was having new email deliverability issues. It surprised me since things had been going well since switching to AuthSMTP for our outgoing mail. The first thing I checked was my SPF record. It looked like this:

v=spf1 a mx include:aspmx.googlemail.com include:authsmtp.com include:salesforce.com -all

At first glance everything seems okay. Basically it says to include all A records, MX records, and to include the SPF records provided by Google Apps, AuthSMTP and Salesforce. Since that covers every legitimate sender, I finish it off with the -all which indicates a hard fail. Ok, so the syntax is good. You can’t tell that anything is wrong without digging a little deeper. When you actually try to evaluate it you’ll get this error message:

Results – PermError SPF Permanent Error: Too many DNS lookups

After a little research I found out that you are only allowed 10 DNS lookups and fetching the TXT and SPF records count toward that total. That means after you add in the A and MX lookups, we’re at 7 before we even look inside the includes. Let’s pull up the SPF record for Google Apps:

v=spf1 redirect=_spf.google.com

That redirect counts as another DNS lookup. That puts me up to 8 DNS lookups. Thankfully the Salesforce SPF record is nice and clean:

v=spf1 ip4:204.14.232.0/25 ip4:204.14.234.0/25 ip4:63.150.46.16 ip4:207.126.144.0/20 ip4:64.18.0.0/20 mx ~all

That leaves AuthSMTP:

v=spf1 include:spf-a.authsmtp.com include:spf-b.authsmtp.com include:spf-c.authsmtp.com include:spf-d.authsmtp.com ~all

Ouch! That’s 4 more lookups and the worst part of it is that spf-d.authsmtp.com doesn’t even do anything!

The first thing I did was take out the MX lookup since it’s redundant. I also replaced aspmx.googlemail.com with _spf.google.com which is what it redirects to anyway. Technically, this isn’t a good idea since Google could change it on me — but remember I don’t have a lot of options here. I’m just happy to see my revised record pass the test:

v=spf1 a include:_spf.google.com include:authsmtp.com include:salesforce.com -all

I also sent an email to the AuthSMTP team. They responded within 30 minutes saying that they would remove the extra DNS record and look at how they can clean things up.

I learned something tonight. Remember to count the DNS lookups in your SPF record. It turns out they can add up faster than points on a teenagers drivers license. And if you’re using a lot of includes like I am, remember to do periodic checks to make sure nothing has changed.

Resources:

  • I wrote about Sending email through Gmail over a year ago. While I absolutely don’t recommend you try this anymore, it has some useful information on SPF records and email deliverability in general.
  • Kitterman have a great tool to help validate your SPF records.
Nowadays I recommend everyone use SendGrid for sending email
  • Thank you for the help. I had the exactly the same problem, I just replaced a few a: references to ip4: references.

  • Roseanne

    This was a very informative post. Thanks for taking the time to write it.

  • Mark

    thanks man….nice post

  • Scott

    Thanks! Your post was helpful, and helped me to resolve some of my SPF record issues.

  • Thanks for this clarification. I’m just getting started with SPF, and I discovered that by merely adding two ESPs (MailChimp and SurveyGizmo), I’ve blown past the limit! This makes SPF ‘not ready for prime time’, a toy unfit for real-world purpose.

    (BTW the caret in invisible in Firefox – makes it hard to type).

  • ableal

    > I also replaced aspmx.googlemail.com with _spf.google.com which is what it redirects to anyway. Technically, this isn’t a good idea since Google could change it on me

    As of July 2010, "include:_spf.google.com" is their official recommendation, cf. http://www.google.com/support/a/bin/answer.py?ans

    (This is for anyone coming later; thank you for the post)

  • Sally

    Thanks Josh! I didn't know about this before and you helped alot. 🙂

  • Good article. I didn't realize there is a cap of 10 lookups. This makes setting up SPF records for people that use Google Apps, blackberries, and web servers that send out emails need to really pay attention to this kind of stuff! I agree that the SPF standard needs some work in order to meet real-world needs.

  • ravisorg

    Awesome, I didn't realize this either but it explains a few issues.Awesome, I didn't realize this either but it explains a few issues.

    May I suggest you use ? on your third party services (eg: ?include:_spf.google.com). Without the ? you're saying "anyone using google is authorized from my domain", which is probably not what you want. Adding the ? changes it to mean "anyone using google MIGHT be authorized from my domain, don't ban them with the -all, but you should use other methods to ensure that they're not spammers".

  • Where do you get the first "7" from? I count:
    SPF request
    TXT request
    A request
    MX request.
    That comes to 4, not 7, no?

    • The other 3 come from looking up the hostnames: aspmx.googlemail.com, authsmtp.com & salesforce.com

  • Thanks for recommending SendGrid. I signed up with them because of this article. You should include a link as they give you $20 for each referral

  • HMA

    Thanks Josh,

    It's so amazing and really helpful. I was facing the same issue and probably the right way but struck at a few steps before to complete. Your post helps me a lot and now I finally did it.

  • Hemant Chavan

    Where is the limit of 10 mentioned. I am getting error that "Results – PermError SPF Permanent Error: Void lookup limit of 2 exceeded". My SPF record looks like
    v=spf1 a mx ip4:203.199.60.24 mx:drmail.ltindia.com mx:mail.ltindia.com mx:mail1.ltindia.com mx:Mail2.Ltindia.com ip4:125.18.18.171 ip4:203.199.60.171 ip4:125.18.18.115 ip4:203.199.60.115 ip4:125.22.40.109 ip4:203.199.60.132 ip4:125.18.18.132 -all

    Can you help me find how many DNS lookups this SPF record will require and how can I increase the DNS lookup limit to 10.

  • Hemant Chavan

    Josh, just went through your blog. You are doing great things. Keep it up.
    I have just added my query and would like to here from you.

    adding my query again.
    Where is the limit of 10 mentioned. I am getting error that "Results – PermError SPF Permanent Error: Void lookup limit of 2 exceeded". My SPF record looks like
    v=spf1 a mx ip4:203.199.60.24 mx:drmail.ltindia.com mx:mail.ltindia.com
    mx:mail1.ltindia.com mx:Mail2.Ltindia.com
    ip4:125.18.18.171 ip4:203.199.60.171 ip4:125.18.18.115 ip4:203.199.60.115
    ip4:125.22.40.109 ip4:203.199.60.132 ip4:125.18.18.132 -all

    Can you help me find how many DNS lookups this SPF record will require and how can I increase the DNS lookup limit to 10.

  • I trying the following SPF, which still tells me too many dns lookups:
    v=spf1 a include:sendgrid.com include:_spf.google.com -all

    Hoe come those are too many?

  • LeeWalton70

    There IS, hidden within the SPF specification, a Macro Language that allows substitutions to be used in the generation of the SPF record that would point to other records dynamically, alleviating the issue all together.