SPF records with too many DNS lookups? Here are two possible solutions.
One of the common questions to our support nowadays is regarding too “long” SPF records (Sender Policy Framework). The problem is that there are too many DNS lookups in the DNS entry, meaning that there are more than 10 DNS lookups. For security reasons, there is a lookup limit (10 in accordance with RFC, e.g. to prevent DoS attacks) – but in reality, many companies need more DNS lookups to cover everything that has to be included in their SPF record .
The first natural step is to check carefully that everything in your current SPF record is actually needed. In our experience, it is seldom anything removed when an e-mail service is no longer in use.
If you conclude that nothing can be removed, there are basically two ways to go about it. The solutions are not always obvious, and you will have to make a weighted decision on what is the best fit for the organization and the situation.
1. Switch to sending some of the e-mails from a subdomain.
The first option is to have some emails sent from a subdomain instead of the regular domain. In this way, the include can be lifted out of the existing record, and entered into a new SPF record, which is set up on the subdomain.
For example. Let’s say that we at Dotkeeper use the (fictional ..) customer service tool ClientStarPlus. Then you can, for example, switch to sending e-mails through email@example.com instead of the regular firstname.lastname@example.org.
This way, include:mail.clientstarplus.com can be moved from the existing record on dotkeeper.com, and instead be added to a new SPF record, which is set up on the subdomain support.dotkeeper.com.
Please note that this alternative requires the supplier’s (in this case ClientStarPlus) settings to be adjusted, because the address that the e-mails are sent from has changed.
2. Take IP numbers from an “include”
Pure IP numbers does not count towards your lookup cost, so you can take IP numbers from an include and put them straight into your SPF record. The downside is that a supplier can change the content of their include. As this is something they seldom inform you about, it could lead to problems in the long run.
Taking the ClientStarPlus example again, what you need to have is ongoing surveillance of any updates of mail.clientstarplus.com, since you will have to update with the same changes.
In addition, it can be good to know that the functions A and MX also count as lookups, if these are found in one’s SPF record. Sometimes they are added “just because”. If you have them, double-check that they are required. These can also be transformed into pure IP numbers (though, of course, that is not as smooth).