SPF Permerror - SPF Too Many DNS Lookups | EasyDMARC

Troubleshooting SPF Permerror – SPF Too Many DNS Lookups

6 Min Read
Three email images, one in the middle open and red

“SPF Permerror,” caused by too many SPF record lookups in DNS, is a common error detected in many Sender Policy Framework implementations. When SPF exceeds 10 DNS lookups, a “PermError,” also known as an SPF Permerror, occurs, and can reduce email deliverability, as the mail servers will reject your message.

What Does the “SPF Too Many DNS Lookups” SPF Permerror Mean?

An SPF PermError increases the likelihood of emails being marked as spam. Since Domain-based Message Authentication, Reporting, and Conformance (DMARC) interprets an SPF PermError as a FAIL, email receivers may view such emails as less trustworthy. To reduce this risk, it is strongly recommended to keep the DNS-querying mechanisms and modifiers in your SPF record within the limit of 10.

EasyDMARC’s SPF record lookup tool can be used to check records for your domain.

Why Is There an SPF Lookup Limit?

The SPF Lookup Limit of 10 is needed to protect against threats, such as Distributed-Denial-of-Service (DDoS) attacks and spoofing attempts. It aims to decrease the lookup count from the receiver’s side, as DNS lookups consume resources like bandwidth, CPU, and memory. Limiting lookups prevents unreasonable overloading of these resources, which makes receivers more vulnerable to bad actors.

How Do I Fix “SPF Too Many DNS Lookups”?

When creating an SPF record, here are some common practices that allow you to stay within the 10 DNS lookup limit:

1. Remove Unnecessary “Include” Statements

A DNS lookup is redirected to another domain’s SPF record to check all of their approved IPs using an “include” statement. The 10-record limit is applied to each “include” statement in the original record and any redirected records.

One way to fix the “too many DNS lookups” issue is to ensure that each “includes” statement in your SPF record is required and cannot be substituted with a mechanism that does not count against the limit. Reduce the unnecessary “includes” to bypass the “too many included lookups” SPF permerror.

The “all,” “ip4,” and “ip6” mechanisms, as well as the “exp” modifier, do not perform DNS queries during SPF evaluation. The “exp” modifier performs a lookup later, and their usage is exempt from the 10 DNS lookup limit. Therefore, using these can also help you avoid exceeding the maximum SPF record lookups.

Example

In the image below, the record is broken, and the number of total lookups/modifiers should be reduced to fix the “SPF too many lookups” problem.

SPF 16 DNS lookups

To return the SPF record lookup correctly, you need to delete unnecessary “include” statements:

SPF too many DNS lookups fixed

Don’t forget to use our SPF record checker tool to search for the existence of multiple SPF records in DNS, which can result in a permanent error.

2. Use ip4 and ip6 Methods

Another method of fixing the “SPF permerror” is to use the ip4 or ip6 mechanism instead of the “include” statement. In your SPF record, the ip4 and ip6 mechanisms are used to list a static IP set.

Example

Here’s an SPF record with “include” statements:

SPF 13 DNS lookups issue

In contrast, the SPF record in the image below includes several static IP ranges. The total lookup number decreases by 3 when the “include” statement is replaced with the ip4 mechanisms, making 10 lookups instead of 13.

SPF 13 DNS lookups fixed

If you have several “include” statements in your SPF record, this substitution will help you minimize the number of DNS lookups.

3. Remove Mechanisms Belonging to the Same Domain

This SPF record refers to both the baddomain.com and yourdomain.com domains.

The record for baddomain.com, on the other hand, already has an “include” statement for yourdomain.net. As a result, the include:spf.yourdomain.net mechanism is no longer needed and should be eliminated.

4. Delete All “ptr” Mechanisms

The “ptr” mechanism is a type of DNS record that correlates an IP address with a domain or hostname. The SPF specification does not suggest using the “ptr” mechanism in the SPF record because it can result in a large number of DNS lookups, exceeding the limit of 10.

5. Remove Any Invalid or Unused Domain References

Delete any “include” statements that guide the SPF check to a domain that is no longer sending emails on your behalf, such as partner or vendor domains.

You can also double-check that any domains you use in your SPF record point to an active record. Otherwise, they need to be removed to reduce DNS lookups.

6. Use an SPF Record That Has Been Flattened

Regardless of how many improvements you made to the SPF record, you may not always be able to meet the 10 DNS record lookup limit. Therefore, you should use a flattened record as a workaround. Also, you can reduce the number of DNS-querying mechanisms/modifiers to 1 by using a flattened record.

The “SPF record flattening” procedure is as follows:

  • Get the IP addresses for each of the DNS-querying mechanisms/modifiers used in the record by querying the DNS.
  • Replace the original mechanism/modifier with the IP addresses.

The total number of DNS lookups decreases by one every time a mechanism or a modifier is replaced. When both mechanisms/modifiers are removed, the total count drops to one since only the primary SPF record needs a DNS query.

SPF Flattening

The advantage oft using the SPF flattening technique is that you can convert a very complex SPF record with over 10 DNS lookups into an IP address list while remaining secure.

The disadvantage, however, is that the flattened SPF record loses synchronization with the specified IP addresses, resulting in incorrect SPF authentication results if the IP addresses change. This also requires you to monitor the IP addresses and manually update your SPF records regularly.

When you don’t have the right SPF record after optimizing it using the tips above, we suggest using a flattened record as a last resort to fix the SPF permerror.

An alternative to SPF Flattening is EasyDMARC’s EasySPF tool, which dynamically manages SPF lookups, ultimately solving the “Too many DNS lookups” issue. EasySPF enables you to automatically authorize your email-sending sources, resolving the SPF “Too Many DNS Lookups” issue causing “SPF Permerror.” With a single include in your record, you can add, delete, and upgrade a large number of email service providers without the limitation of the SPF 10 DNS lookups.

Conclusion

In conclusion, addressing SPF Permerror caused by excessive DNS lookups is crucial for maintaining email deliverability and security. By implementing the strategies outlined above, you can optimize your SPF record and avoid the “Too Many DNS Lookups” issue. For expert assistance in resolving complex SPF configurations, EasyDMARC’s experienced engineers can help streamline your email authentication process and ensure optimal deliverability. Contact us today.

Request a Demo

Comments
guest
0 Comments
Inline Feedbacks
View all comments

succees We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.

succees You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us

In this article
Share article:

Domain Scanner

Check phishing vulnerabilities and possible issues with DMARC, SPF,DKIM, and BIMI records

More In Authentication Protocols
Fix “External Verification Failure” in EasyDMARC
3 Min Read
Get Your Emails Delivered In 2024
An Easy Guide To The New Google and Yahoo Requirements
Download Ebook
New Ebook