What are the options for dealing with overstuffed SPF records exceeding DNS lookup limits?
Summary
What email marketers say13Marketer opinions
Email marketer from StackOverflow mentions using a dedicated sending domain or subdomain for email marketing. This allows for a simpler SPF record that only includes the necessary services for that specific sending domain, reducing the risk of exceeding the lookup limit.
Email marketer from Reddit suggests migrating entirely to DKIM. If SPF is too difficult to manage, DKIM offers a robust alternative for authentication without the DNS lookup limitations of SPF. It involves digitally signing emails, which is verified by the receiving server.
Email marketer from AuthSMTP says to use external authentication services for SPF and DKIM. These services can handle the complexity of SPF records and ensure compliance with DNS lookup limits, providing a managed solution for email authentication.
Marketer from Email Geeks (Proofpoint) states that Proofpoint has something called Hosted SPF that resolves the 10 DNS lookup limit.
Email marketer from DNSQueries highlights the option of using services that automatically flatten your SPF records. These services monitor your includes and automatically update the SPF record with the resolved IP addresses, ensuring you stay within the lookup limit without manual intervention.
Marketer from Email Geeks suggests that many clients rely on DKIM only because of SPF record issues, and offers flattening as another option, mentioning providers and self-hosted options.
Email marketer from EmailonAcid shares that you can review your SPF record regularly and remove any outdated or unnecessary entries, and only include the sending sources that are currently in use. This helps maintain a lean SPF record and avoid exceeding the lookup limit.
Email marketer from Gmass shares that regularly auditing your SPF records and removing old services or providers that are no longer in use, helps in reducing the number of lookups, and is a practical method to stay within the limit.
Marketer from Email Geeks warns that flattening is a nightmare if anyone changes their SPF that you might have in an include for. Suggests a method of splitting up spf records.
Email marketer from MXToolbox answers that they provide tools to check the SPF record, and by checking the SPF record, you can identify which includes are causing additional lookups, and see if any can be removed or consolidated.
Email marketer from SendGrid states that while SPF is useful, DKIM and DMARC are important for authentication. If SPF is complex, focus on DKIM signing and DMARC policy to ensure emails are properly authenticated even if SPF fails due to lookup limits.
Email marketer from EasyDMARC explains that SPF flattening is a technique to reduce the number of DNS lookups in an SPF record by replacing 'include' statements with the actual IP addresses they resolve to. This can help avoid exceeding the 10-lookup limit but requires regular maintenance to update IP addresses when they change.
Email marketer from Mailjet shares that using subdomains for different sending purposes, like transactional emails versus marketing campaigns, allows you to create separate SPF records with fewer includes for each. This prevents SPF records from becoming too complex and exceeding the lookup limit.
What the experts say4Expert opinions
Expert from Word to the Wise talks about migrating to a new ESP, that is a good opportunity to address the SPF record. Work with the new ESP to create a lean and optimized SPF record that only includes the necessary sending sources.
Expert from Email Geeks explains that a significant problem is people publishing SPF for the wrong domain and ESPs providing bad guidance, recommending dedicated domains for the 5321.from.
Expert from Spamresource states that regularly reviewing and optimizing SPF records to remove obsolete entries is crucial. Also, consolidate includes where possible and ensure that the most important sending sources are prioritized within the 10-lookup limit.
Expert from Email Geeks discusses the issue of overstuffed SPF records with too many DNS lookups, noting that ISPs seem to be forgiving despite the spec. Options considered are ignoring the issue or pushing clients to use different subdomains for different mail streams.
What the documentation says4Technical articles
Documentation from Microsoft answers that for Microsoft 365, it's essential to configure SPF, DKIM, and DMARC correctly. While SPF has its limits, combining it with DKIM can improve email deliverability and authentication. Ensure SPF is set up for all sending domains.
Documentation from Google Workspace Admin Help explains that SPF records have a limit of 10 DNS lookups. Exceeding this limit can cause SPF checks to fail, impacting email deliverability. They suggest simplifying SPF records by removing unnecessary includes or using alternative authentication methods like DKIM.
Documentation from DMARC.org recommends using both SPF and DKIM for email authentication and aligning them properly with DMARC. When SPF records are problematic, DKIM can provide an alternative authentication method, and the correct DKIM configuration with DMARC can allow you to achieve deliverability goals.
Documentation from RFC 7208 (SPF specification) specifies that SPF implementations MUST limit the number of DNS lookups performed during SPF evaluation to avoid denial-of-service attacks. The limit is set to 10 DNS lookups, including any lookups caused by 'include', 'a', 'mx', 'ptr', or 'exists' mechanisms.