How can I optimize my SPF record to stay within the lookup limit when using multiple email sending services?
Summary
What email marketers say10Marketer opinions
Email marketer from DMARC Analyzer recommends prioritizing essential sending services in your SPF record and evaluating whether less critical services can be authenticated using alternative methods like DKIM.
Email marketer from StackOverflow suggests to use SPF macros if feasible which can help in reducing the total amount of DNS lookups, as opposed to using includes.
Email marketer from Reddit suggests regularly auditing your SPF record to identify and remove any outdated or unnecessary include statements. This can significantly reduce the number of lookups.
Email marketer from AuthSMTP explains that you cannot add multiple SPF records to a domain as it invalidates SPF. Instead, consolidate everything into one record.
Email marketer from Mailjet suggests delegating different sending services to subdomains, each with its own SPF record. This isolates the lookups for each service and prevents exceeding the limit on the primary domain.
Email marketer from EmailonAcid recommends using a tool to check how many lookups your SPF record has. This allows you to determine where you need to make changes.
Email marketer from MXToolbox advises to reduce the number of external services which require SPF inclusions. Try to consolidate to services offering the same benefits and features.
Email marketer from Email Geeks shares that Shopify uses a return path on a subdomain through Sendgrid if properly set up.
Email marketer from EasyDMARC shares that SPF flattening services reduce the number of DNS lookups by resolving include statements to individual IP addresses. This helps stay within the 10-lookup limit but requires regular updates to reflect IP address changes.
Email marketer from Email Geeks explains he uses Shopify and Google Workspace which require two lookups, and also relies on three SaaS products for email sending, each requesting one include, and that Shopify now uses a subdomain that resolves to an SPF with sendgrid.
What the experts say5Expert opinions
Expert from Email Geeks responds to a previous answer about SPF record lookups, clarifying that an SPF record with 11 lookups is invalid, and it's not accurate to say only the 11th lookup will fail. She suggests the problem is likely due to publishing too many unnecessary SPF lookups.
Expert from Email Geeks advises checking the 5321.From / return-path / bounce domain on all senders before making any decisions about SPF records.
Expert from Word to the Wise explains that large SPF records can cause issues. Reducing the size will help ensure maximum compatability.
Expert from Email Geeks suggests some vendors might provide incorrect advice, leading to unnecessary entries in SPF records. He advises checking if the domain is in the return path; if not, SPF may not be needed for that vendor.
Expert from Word to the Wise explains that a common mistake is adding unnecessary includes to your SPF record, exceeding the lookup limit. She advises carefully reviewing and removing any includes that are not essential for sending mail.
What the documentation says5Technical articles
Documentation from SparkPost details the importance of DKIM. When possible use DKIM instead of SPF, or in addition. This will ensure you can still authenticate your emails when you are unable to meet the SPF requirements.
Documentation from Microsoft explains that properly structuring your SPF records, including using the 'ip4' and 'ip6' mechanisms instead of 'include' where possible, can help minimize DNS lookups and stay within the limit.
Documentation from Google Workspace Admin Help explains that SPF records have a limit of 10 DNS lookups. Exceeding this limit can cause authentication failures. It recommends reviewing the SPF record and removing unnecessary mechanisms to stay within the limit.
Documentation from Cloudflare details the limitations around SPF and the fact it authenticates the envelope from and not the header from. Meaning you need to be extra diligent to ensure SPF is correct, and look at alternative methods where possible.
Documentation from RFC 7208 details that the 'include' mechanism in SPF records triggers additional DNS lookups. It emphasizes the importance of carefully managing includes to avoid exceeding the limit and causing SPF failures.