Suped

Why does MXToolbox report SPF as too think while other tools show a higher score?

8 Marketer opinions3 Expert opinions5 Technical articles3 Resources

Summary

MXToolbox may report SPF errors due to several factors: its inability to handle specific SPF lookup codes, its general sensitivity, adherence to the 10 DNS lookup limit, and variations in configuration and testing methodologies. The 10 DNS lookup limit can easily be exceeded when the 'include' mechanism is used excessively, or when complex SPF records are in use. DNS propagation delays and caching mechanisms also contribute to the inconsistencies. If this limit is exceeded, a 'permerror' results, causing SPF authentication to fail, which affects deliverability, and some ESP's automatically ignore it. Flattening SPF records is generally advised and monitoring the number of DNS lookups with various tools is also good practice.

Key findings

  • Code Handling: MXToolbox might not handle certain SPF lookup codes correctly.
  • Tool Sensitivity: MXToolbox is known to be more sensitive than other tools and might identify potential issues other tools do not.
  • 10 Lookup Limit: SPF records are limited to 10 DNS lookups; exceeding this results in a 'permerror'.
  • Include Impact: The 'include' mechanism increases the DNS lookup count and can lead to exceeding the limit.
  • Configuration Variation: Tools can evaluate differently due to setup.
  • Caching/Propagation: DNS propagation and caching may lead to inconsistent results between tools.
  • ESP Behaviour: Some ESP's will ignore any SPF check result that goes over the limit.

Key considerations

  • Check Lookups: Use DNS tools to see the count of DNS lookups.
  • Simplify SPF: Reduce 'include' mechanisms.
  • Tool Awareness: Be aware of tool variations.
  • Minimize DNS lookups: Aim to use IP addresses rather than domain names.
  • Flatten SPF: Consider flattening your SPF records

What email marketers say
8Marketer opinions

MXToolbox may report an SPF record as "too think" due to its sensitivity to the 10 DNS lookup limit, differences in tool configuration, testing methodologies, DNS propagation delays, or caching mechanisms. Complex SPF records with multiple includes can easily exceed the limit, while other tools may not be as thorough or updated, leading to inconsistencies in SPF validation. Some ESP's will automatically ignore SPF records that go over the limit, so flattening SPF records to be less than 10 lookups is a very important task.

Key opinions

  • 10 Lookup Limit: SPF records are limited to 10 DNS lookups, and exceeding this limit can cause errors.
  • Tool Sensitivity: MXToolbox is often more sensitive to SPF complexities and may report issues that other tools miss.
  • Include Impact: The 'include' mechanism adds to the DNS lookup count, potentially exceeding the limit.
  • Configuration Variation: Different tools have variations in their configuration, testing methodologies, and caching mechanisms which may lead to different evaluations.
  • Propagation Delays: DNS propagation delays may cause discrepancies between tools, with some having updated information and others not.
  • ESP Behaviour: Some ESP's will ignore any SPF check result that goes over the limit.

Key considerations

  • Flatten SPF Records: Simplify complex SPF records to reduce the number of DNS lookups.
  • Monitor SPF Lookups: Regularly check your SPF record with multiple tools to ensure it stays within the 10 lookup limit.
  • IP Addresses vs. Domains: Use IP addresses instead of domain names where possible to minimize DNS lookups.
  • Tool Selection: Be aware that different tools provide different results, so evaluate your SPF record with multiple tools.
  • DNS Propagation: Account for DNS propagation delays when making changes to your SPF record.
Marketer view

Email marketer from StackOverflow explains that when an SPF record uses `include:` to reference another domain's SPF record, all the lookups required by that included record also count towards the original domain's 10-lookup limit. This can lead to exceeding the limit more easily.

October 2021 - StackOverflow
Marketer view

Email marketer from WebHostingTalk Forum discusses that discrepancies in SPF results can be caused by DNS propagation delays, where some tools have updated information and others do not. They also point out the 10-lookup limit.

March 2023 - WebHostingTalk Forum
Marketer view

Email marketer from EmailOnAcid explains that complex SPF records with multiple includes and lookups can easily exceed the 10 DNS lookup limit. They advise simplifying the record by using IP addresses instead of domain names where possible.

October 2021 - EmailOnAcid
Marketer view

Email marketer from EasyDMARC explains that different tools might evaluate SPF records differently due to variations in their configuration and testing methodologies. They highlight that MXToolbox is known to be very sensitive and thus may provide different outputs compared to other tools. Some tools may also cache results.

April 2022 - EasyDMARC
Marketer view

Email marketer from DKIMValidator.com shares that SPF records are limited to 10 DNS lookups. If this limit is exceeded, the SPF check will return a 'permerror'. They recommend flattening SPF records to avoid this issue.

February 2023 - DKIMValidator.com
Marketer view

Email marketer from Reddit user /u/mail-guy shares that some tools may follow redirects/includes further than others, leading to different lookup counts. MXToolbox might be more thorough.

August 2022 - Reddit
Marketer view

Email marketer from GlockApps details how to check your SPF to make sure it doesn't go over the limit. It has to be done as some ESP's will automatically ignore any SPF check result that goes over the limit.

March 2022 - GlockApps
Marketer view

Email marketer from Mailhardener shares that differences in tool configuration, DNS resolution, and caching mechanisms can cause inconsistent results in SPF validation.

April 2024 - Mailhardener

What the experts say
3Expert opinions

MXToolbox may report SPF errors due to its inability to handle certain SPF lookup codes like `exists:%{i}._spf.mta.salesforce.com`. While new code is in development to address this, the existing tool may produce false positives. A PermError can occur if your SPF record exceeds the 10 DNS lookup limit, often due to excessive 'include:' statements. Therefore, MXToolbox can be more strict and highlights potential issues that are worth investigating but may not always be accurate.

Key opinions

  • Code Handling: MXToolbox's current code doesn't handle `exists:%{i}._spf.mta.salesforce.com` lookups correctly, leading to false positives.
  • Development Update: New code is being developed to improve SPF validation accuracy.
  • 10 Lookup Limit: Exceeding the 10 DNS lookup limit in SPF records results in a PermError.
  • Include Statements: Excessive 'include:' statements contribute to exceeding the lookup limit.

Key considerations

  • Check DNS Lookups: Use the DNS tab in MXToolbox (or other tools) to examine the number of DNS lookups your SPF record is performing.
  • Simplify SPF Records: Reduce the number of 'include:' statements and other mechanisms that require DNS lookups to stay within the 10 lookup limit.
  • Monitor for Updates: Be aware that MXToolbox's SPF validation tool is being updated, so results may change in the future.
  • False Positives: Consider the possibility of false positives due to the tool's limitations, especially if using certain SPF lookup codes.
Expert view

Expert from Word to the Wise explains that exceeding the 10 DNS lookup limit will result in an SPF PermError, meaning a permanent error. This can occur if your SPF record has too many 'include:' statements or other mechanisms that require DNS lookups.

November 2023 - Word to the Wise
Expert view

Expert from Email Geeks shares that there is new code in the pipeline to validate SPF correctly, but it’s not yet live on the web tool.

September 2021 - Email Geeks
Expert view

Expert from Email Geeks explains that one of the SPF lookups has exists:%{i}._<http://spf.mta.salesforce.com|spf.mta.salesforce.com> -all and that code doesn’t handle exists: well. She suggests using the DNS tab to see all the lookups and believes MXToolbox is probably right in this case.

September 2023 - Email Geeks

What the documentation says
5Technical articles

SPF implementations adhere to a strict 10 DNS lookup limit per check as defined by RFC specifications. Exceeding this limit, often due to excessive use of the 'include' mechanism, results in a 'permerror' and causes SPF authentication to fail, potentially impacting email deliverability. Microsoft recommends flattening SPF records when this limit is exceeded.

Key findings

  • 10 Lookup Limit: SPF records are limited to 10 DNS lookups, as per RFC specifications.
  • PermError: Exceeding the 10 lookup limit results in a 'permerror', causing SPF authentication to fail.
  • Include Mechanism: The 'include' mechanism contributes to the total DNS lookup count, potentially exceeding the limit.
  • Flatten SPF: Microsoft recommends flattening SPF records when this limit is exceeded.

Key considerations

  • Limit DNS Lookups: Ensure your SPF record stays within the 10 DNS lookup limit.
  • Minimize Includes: Reduce the use of 'include' mechanisms to minimize DNS lookups.
  • Flatten Records: Consider flattening your SPF record to reduce DNS lookups.
  • Monitor SPF: Regularly monitor your SPF record to ensure it is valid and not exceeding the lookup limit.
Technical article

Documentation from OpenSPF.org details that the 'include' mechanism in SPF records counts towards the 10 DNS lookup limit. Excessive use of 'include' can lead to exceeding this limit.

March 2023 - OpenSPF.org
Technical article

Documentation from AuthSMTP describes that exceeding the SPF lookup limit will cause messages to fail SPF authentication. This will cause the SPF check to return a 'permerror'.

January 2023 - AuthSMTP
Technical article

Documentation from RFC Editor explains that SPF implementations have a limit of 10 DNS lookups per SPF check. Exceeding this limit can cause SPF records to fail, even if syntactically correct.

March 2025 - RFC Editor
Technical article

Documentation from Microsoft explains about SPF and its limitation of 10 includes. If it goes over this, then you need to look at using a flattened SPF record.

March 2024 - Microsoft
Technical article

Documentation from Google clarifies that SPF records that require more than 10 DNS lookups will result in a 'permerror' and may cause deliverability issues. They suggest streamlining SPF records to stay within the limit.

May 2021 - Google

Related resources
3Resources

DMARC Policy help to understand - Collaboration - Spiceworks ...
DMARC Policy help to understand - Collaboration - Spiceworks ...

I have SPF and DKIM setup. I have had dmarc p=none for a few months now. We use Office 365 for mail. My inbox is full of reports from noreply@dmarc.yahoo.com dmarc@spamtitan.com noreply-dmarc-support.google.com… I have thousands of these now. Question. What are these emails telling me? I know I somehow have to give some of these the green light and then I can change policy to reject/quarantine. I am not sure on what am I am doing next. cheers @darren

Spiceworks Community
Emails Getting Caught In SPAM - O365 - Email - Spiceworks ...
Emails Getting Caught In SPAM - O365 - Email - Spiceworks ...

Over the past few weeks we have noticed a large spike in emails getting caught in inbound and outbound Office 365 SPAM filter. Has something recently changed with Microsoft starting around Feb 2024 that would trigger such a spike in captures? Previous email address that were not an issue and have been corresponding for years are all of a sudden caught. I have checked our SPF and DMARK record and all look good. I have checked all blacklists for our domain and all are green.

Spiceworks Community
550 Message rejected because SPF check failed - Collaboration ...
550 Message rejected because SPF check failed - Collaboration ...

I have one company who is trying to email us and they keep getting this error when they send us a email. Any help would be appreciated! 550 Message rejected because SPF check failed

Spiceworks Community

Related questions