Why do some ESPs require unnecessary SPF includes for DKIM, and what are the dangers of this practice?
Summary
What email marketers say10Marketer opinions
Email marketer from Email Deliverability Experts Group, says that the 'include' directive is useful when you have multiple senders, but there is risk of surpassing the DNS lookup limit. So you need to manage this efficiently, by keeping an eye on the DNS lookups.
Email marketer from Stack Overflow shares that too many SPF includes can exceed the 10 DNS lookup limit. This will cause SPF authentication to fail, impacting email deliverability. It’s recommended to flatten SPF records to avoid this.
Email marketer from Email Deliverability Blog responds that unnecessary SPF includes can indirectly affect DMARC compliance because DMARC relies on SPF and DKIM. If SPF fails due to too many lookups, it can cause DMARC to fail as well, negatively impacting email deliverability and brand reputation.
Email marketer from Email Security Forum shares that sometimes the request for unnecessary SPF includes is 'security theatre' – it looks good but doesn't genuinely improve security. It can create unnecessary complexity and potential points of failure.
Marketer from Email Geeks complains about ESPs demanding a DMARC record (p=none) and absorbing all reports without informing the client, especially when enforcing a policy.
Email marketer from Reddit responds that some ESPs might require unnecessary SPF includes due to outdated information or a desire to demonstrate 'security'. However, this can lead to SPF failing if limits are exceeded, and there are better ways to manage authentication.
Email marketer from Email Marketing Tips Blog explains that while DKIM and SPF both authenticate email, they work differently. DKIM uses cryptographic signatures and does not rely on DNS lookups in the same way SPF does, so unnecessary SPF includes don't directly improve DKIM.
Email marketer from EmailGeeks Forum explains that some ESPs require SPF includes as a way of marking their presence/market share. If they include a domain in your records, the ESP gets to include you as their client for reporting purposes.
Marketer from Email Geeks believes that some ESP authentication issues arise from ignorance and poor internal training leading to misunderstandings.
Email marketer from Email Marketing Community shares that failing SPF authentication can damage your domain's reputation. Mailbox providers may start filtering your emails to spam or block them altogether, negatively affecting your email program.
What the experts say4Expert opinions
Expert from Word to the Wise, Laura Atkins, explains that some ESPs require the inclusion because they are trying to market the fact that they sent the email. There is an impact as you get more and more includes in your SPF record. This becomes a maintenance nightmare, as it's difficult to update and monitor. It can also lead to errors.
Expert from Email Geeks shares that Microsoft moved from breaking SPF to breaking DKIM by modifying the body content of emails.
Expert from Spam Resource, John Levine, explains that while using includes can be convenient for SPF records, they can quickly lead to exceeding the DNS lookup limit. This can cause SPF authentication to fail, harming email delivery.
Expert from Email Geeks explains about an ESP that won’t turn on custom DKIM signing for a client until the client publishes an SPF include in their root domain, indicating this is bad practice. She highlights that many still follow old documentation with this recommendation, even though Microsoft stopped requiring SPF lookups on the 5321.
What the documentation says5Technical articles
Documentation from dmarcian.com explains SPF flattening as a method to reduce the number of DNS lookups by replacing 'include' statements with the actual IP addresses. This avoids exceeding the lookup limit and ensures proper SPF authentication.
Documentation from Mailjet shares that best practice is to only include the domains that are actually sending mail on your behalf. Avoid adding unnecessary 'include' statements and flatten your SPF record where possible to remain under the DNS lookup limit and optimize deliverability.
Documentation from RFC Editor explains that the SPF 'include' mechanism is used to authorize other domains to send mail on behalf of your domain. While useful in some scenarios, overusing 'include' can lead to exceeding the SPF DNS lookup limit, causing SPF to fail and potentially harm deliverability.
Documentation from Valimail explains that the RFC specifies a limit of 10 DNS lookups within an SPF record. Going over this limit means that SPF will return a 'PermError' result, which will negatively impact deliverability and can cause mail to bounce or be marked as spam.
Documentation from EasyDMARC explains that incorrect SPF syntax, including too many includes, can cause authentication to fail. They recommend using tools to validate your SPF record and minimize includes to ensure proper authentication.