How can I optimize my SPF record to stay within the lookup limit when using multiple email sending services?

Summary

Optimizing SPF records to stay within the 10 DNS lookup limit when using multiple sending services involves a multi-faceted approach. Key strategies include regularly auditing and removing unnecessary 'include' statements, validating vendor advice, and checking the 5321.From/return-path on all senders. Additionally, consider SPF flattening, delegating services to subdomains, prioritizing essential services, utilizing SPF macros, consolidating services, and leveraging DKIM as an alternative or supplementary authentication method. Remember that multiple SPF records are invalid and all mechanisms should be consolidated into a single record. SPF authenticates the envelope from and not the header from. Some services such as Shopify now use subdomains with SPF records.

Key findings

  • Lookup Limit: SPF records are limited to 10 DNS lookups; exceeding this limit causes authentication failures.
  • Unnecessary Includes: Unnecessary includes are a common cause of exceeding the lookup limit.
  • Vendor Advice: Vendors may provide incorrect advice leading to unnecessary SPF entries; always validate.
  • Return Path: Check the 5321.From/return-path of all senders before making SPF decisions.
  • SPF Flattening: SPF flattening reduces DNS lookups but requires regular updates.
  • Subdomains: Delegating services to subdomains isolates lookups.
  • DKIM: DKIM can supplement or replace SPF for authentication.
  • Single Record: Only one SPF record per domain is valid; consolidate includes.
  • Record Size: Large SPF records can cause issues and should be kept small.

Key considerations

  • Regular Audits: Regularly audit and remove any includes that are not essential.
  • Validation: Ensure the accuracy of vendor recommendations before implementing changes.
  • Maintenance: SPF flattening requires frequent updates to reflect IP address changes.
  • Testing: Thoroughly test any changes to the SPF record to ensure email deliverability is not negatively impacted.
  • Shopify Config: Shopify and similar services using subdomains for sending can simplify SPF configuration.

What email marketers say
10Marketer opinions

Optimizing SPF records involves staying within the 10 DNS lookup limit when using multiple email sending services. Strategies include using SPF flattening services, delegating services to subdomains, auditing and removing unnecessary includes, prioritizing essential services, using SPF macros, consolidating services, and using tools to check lookup counts. It's also important to remember that multiple SPF records are invalid and all mechanisms should be consolidated into one record. Some services such as Shopify now use subdomains with SPF records.

Key opinions

  • SPF Flattening: SPF flattening reduces DNS lookups but requires regular updates.
  • Subdomains: Delegating services to subdomains isolates lookups.
  • Record Auditing: Regularly audit and remove unnecessary includes.
  • Prioritization: Prioritize essential services in SPF.
  • SPF Macros: Consider using SPF macros to reduce lookup count.
  • One Record: Multiple SPF records are invalid; consolidate them.
  • Consolidation: Reduce the number of external services by consolidation.
  • Shopify Configuration: Shopify now uses a subdomain that resolves to Sendgrid, simplifying the SPF configuration for the main domain.

Key considerations

  • Update Frequency: SPF flattening requires frequent updates to reflect IP address changes.
  • DKIM Alternative: Evaluate if less critical services can use DKIM instead of SPF.
  • Lookup Tools: Use tools to check SPF lookup counts to identify optimization opportunities.
  • Testing: Thoroughly test any changes to the SPF record to ensure email deliverability is not negatively impacted.
Marketer view

Email marketer from DMARC Analyzer recommends prioritizing essential sending services in your SPF record and evaluating whether less critical services can be authenticated using alternative methods like DKIM.

February 2024 - DMARC Analyzer
Marketer view

Email marketer from StackOverflow suggests to use SPF macros if feasible which can help in reducing the total amount of DNS lookups, as opposed to using includes.

June 2024 - StackOverflow
Marketer view

Email marketer from Reddit suggests regularly auditing your SPF record to identify and remove any outdated or unnecessary include statements. This can significantly reduce the number of lookups.

April 2021 - Reddit
Marketer view

Email marketer from AuthSMTP explains that you cannot add multiple SPF records to a domain as it invalidates SPF. Instead, consolidate everything into one record.

November 2022 - AuthSMTP
Marketer view

Email marketer from Mailjet suggests delegating different sending services to subdomains, each with its own SPF record. This isolates the lookups for each service and prevents exceeding the limit on the primary domain.

November 2023 - Mailjet
Marketer view

Email marketer from EmailonAcid recommends using a tool to check how many lookups your SPF record has. This allows you to determine where you need to make changes.

August 2022 - EmailonAcid
Marketer view

Email marketer from MXToolbox advises to reduce the number of external services which require SPF inclusions. Try to consolidate to services offering the same benefits and features.

December 2022 - MXToolbox
Marketer view

Email marketer from Email Geeks shares that Shopify uses a return path on a subdomain through Sendgrid if properly set up.

June 2021 - Email Geeks
Marketer view

Email marketer from EasyDMARC shares that SPF flattening services reduce the number of DNS lookups by resolving include statements to individual IP addresses. This helps stay within the 10-lookup limit but requires regular updates to reflect IP address changes.

January 2022 - EasyDMARC
Marketer view

Email marketer from Email Geeks explains he uses Shopify and Google Workspace which require two lookups, and also relies on three SaaS products for email sending, each requesting one include, and that Shopify now uses a subdomain that resolves to an SPF with sendgrid.

August 2021 - Email Geeks

What the experts say
5Expert opinions

Optimizing SPF records to stay within the lookup limit involves removing unnecessary includes, validating vendor advice, and checking the 5321.From/return-path on all senders. Exceeding 10 lookups makes the SPF invalid. A key strategy is ensuring that only essential services and domains are included in the SPF record to minimize its size and complexity.

Key opinions

  • Invalid Lookup Count: SPF records with more than 10 DNS lookups are invalid.
  • Vendor Advice: Vendors may provide incorrect advice leading to unnecessary SPF entries.
  • Return-Path Check: Check the 5321.From/return-path of all senders before making SPF decisions.
  • Unnecessary Includes: Unnecessary includes are a common cause of exceeding the lookup limit.
  • Record Size: Large SPF records can cause issues and should be kept small.

Key considerations

  • Regular Review: Regularly review and remove any includes that are not essential.
  • Authentication Needs: Ensure SPF is only used for senders where the domain is in the return path.
  • Impact of Changes: Carefully consider the impact of removing an include on deliverability from that service.
Expert view

Expert from Email Geeks responds to a previous answer about SPF record lookups, clarifying that an SPF record with 11 lookups is invalid, and it's not accurate to say only the 11th lookup will fail. She suggests the problem is likely due to publishing too many unnecessary SPF lookups.

September 2021 - Email Geeks
Expert view

Expert from Email Geeks advises checking the 5321.From / return-path / bounce domain on all senders before making any decisions about SPF records.

October 2024 - Email Geeks
Expert view

Expert from Word to the Wise explains that large SPF records can cause issues. Reducing the size will help ensure maximum compatability.

July 2022 - Word to the Wise
Expert view

Expert from Email Geeks suggests some vendors might provide incorrect advice, leading to unnecessary entries in SPF records. He advises checking if the domain is in the return path; if not, SPF may not be needed for that vendor.

December 2023 - Email Geeks
Expert view

Expert from Word to the Wise explains that a common mistake is adding unnecessary includes to your SPF record, exceeding the lookup limit. She advises carefully reviewing and removing any includes that are not essential for sending mail.

September 2022 - Word to the Wise

What the documentation says
5Technical articles

To optimize SPF records and stay within the 10 DNS lookup limit, documentation emphasizes the importance of managing 'include' mechanisms carefully, as they trigger additional lookups. Properly structuring SPF records, using 'ip4' and 'ip6' mechanisms when possible, and regularly reviewing/removing unnecessary mechanisms are crucial. DKIM can also be used as an alternative or supplement when SPF limits are difficult to meet. SPF authenticates the envelope from and not the header from meaning care is required.

Key findings

  • Lookup Limit: SPF records are limited to 10 DNS lookups.
  • Include Mechanism: 'Include' mechanisms trigger additional lookups and should be managed carefully.
  • IP4/IP6 Mechanisms: Using 'ip4' and 'ip6' mechanisms instead of 'include' can minimize lookups.
  • DKIM Alternative: DKIM can be used as an alternative or supplement to SPF when SPF limits are hard to meet.
  • Authenticates Envelope: SPF authenticates the envelope from, not the header from.

Key considerations

  • Regular Review: Regularly review SPF records and remove unnecessary mechanisms.
  • Record Structuring: Properly structure SPF records to minimize DNS lookups.
  • Trade Offs: Consider the trade-offs between SPF and DKIM when implementing authentication methods.
  • Alternative Methods: Look at alternative methods where possible due to SPF limitations
Technical article

Documentation from SparkPost details the importance of DKIM. When possible use DKIM instead of SPF, or in addition. This will ensure you can still authenticate your emails when you are unable to meet the SPF requirements.

June 2024 - SparkPost
Technical article

Documentation from Microsoft explains that properly structuring your SPF records, including using the 'ip4' and 'ip6' mechanisms instead of 'include' where possible, can help minimize DNS lookups and stay within the limit.

March 2021 - Microsoft
Technical article

Documentation from Google Workspace Admin Help explains that SPF records have a limit of 10 DNS lookups. Exceeding this limit can cause authentication failures. It recommends reviewing the SPF record and removing unnecessary mechanisms to stay within the limit.

May 2023 - Google Workspace Admin Help
Technical article

Documentation from Cloudflare details the limitations around SPF and the fact it authenticates the envelope from and not the header from. Meaning you need to be extra diligent to ensure SPF is correct, and look at alternative methods where possible.

April 2024 - Cloudflare
Technical article

Documentation from RFC 7208 details that the 'include' mechanism in SPF records triggers additional DNS lookups. It emphasizes the importance of carefully managing includes to avoid exceeding the limit and causing SPF failures.

July 2024 - RFC Editor