SPF Permerror – SPF Too Many DNS Lookups
“SPF PermError”, caused by too many DNS lookups, is a common error detected in many Sender Policy Framework implementations. When SPF exceeds 10 DNS lookups, a “PermError”, also known as an SPF Permanent error, occurs and can lead to a reduction in email deliverability.
What does the “SPF Too many DNS lookups” error mean?
Due to the fact that an SPF PermError is perceived by DMARC as a FAIL, it increases the chance the email receiver will mark your email as “junk”. As a result, it’s strongly advised to keep your SPF record’s DNS-querying mechanisms / modifiers at or below 10.
EasyDMARC’s SPF record lookup tool can be used to check SPF records for your domain.
Why is there a limit to SPF DNS record Lookups?
The 10-DNS lookup limit is needed to protect against threats, such as DDoS attacks. The example below should help illustrate the argument.
On a particular domain, “baddomain.com,” a malicious actor publish an SPF record with multiple references (e.g. using “include” mechanism) to another domain, for example, “yourdomain.com.”
They send a large number of emails to mailboxes hosted by various email service providers (ESPs) with SPF enabled, from the “baddomain.com” email address. When ESPs receive these emails, they check DNS records of “yourdomain.com” to validate the bad sender’s SPF record.
It amplifies the traffic and becomes a DDoS assault at “yourdomain.com” domain since it involves many ESPs in domain DNS records checking process.
The actual source of the attack is hidden in the entire chain of transactions. As a result, you can see how a malicious actor takes advantage of email authentication. Thus, limiting the maximum number of DNS lookups per check by the ESP helps minimize the risk.
How do I fix “SPF too many DNS lookups”?
When creating an SPF record, the following are common practices that allow you to stay within the 10 DNS lookup limit:
1. Remove unnecessary “include” statements
A DNS lookup is redirected to another domain’s SPF record to check all of their approved IPs using an “include” statement. The 10-record limit is applied to each “include” statement in the original SPF record, as well as any redirected SPF records.
Ensure that each “include” statement in your SPF record is required and cannot be substituted with a mechanism that does not count against the limit.
The “all,” “ip4,” and “ip6” mechanisms, as well as the “exp” modifier, do not perform DNS queries during SPF evaluation. The “exp” modifier performs a lookup later, and their usage is exempt from the 10 DNS lookup limit.
This record is considered broken, and the number of total lookups/modifiers should be reduced to fix it.
The SPF record lookup is returned correctly after deleting unnecessary “include” statements:
Now your SPF record appears to be in good shape.
Don’t forget to use our SPF record checker tool to search for the existence of multiple SPF records in DNS, which can result in a “permerror”.
2. Use ip4 and ip6 methods
Where necessary, use the ip4 or ip6 mechanism instead of the “include” statement. In your SPF record, the ip4 and ip6 mechanisms are used to list a static IP set.
An SPF record with “include” statements:
The SPF record in this example includes a number of static IP ranges. The total lookup number decreases by 3 when the “include” statement is replaced with the ip4 mechanisms, making 10 lookups instead of 13.
If you have several “include” statements in your SPF record, this substitution will help you minimize the number of DNS lookups.
3. Remove mechanisms belonging to the same domain
This SPF record refers to both the baddomain.com and yourdomain.com domains.
The SPF record for baddomain.com, on the other hand, already has an “include” statement for yourdomain.net. As a result, the include:spf.yourdomain.net mechanism is no longer needed and should be eliminated.
4. Delete all “ptr” mechanisms
The “ptr” mechanism is a type of DNS record that correlates an IP address with a domain or hostname. The SPF specification does not suggest using the “ptr” mechanism in the SPF record because it can result in a large number of DNS lookups, exceeding the limit of 10.
Remove any invalid or unused domain references.
Delete any “include” statements that guide the SPF check to a domain that is no longer sending emails on your behalf, such as partner or vendor domains.
You can also double-check that any domains you use in your SPF record point to an active SPF record. Otherwise, they need to be removed to reduce DNS lookups.
5. Use an SPF record that has been flattened
Regardless of how many improvements you made to the SPF record, you may not always be able to meet the 10 DNS record lookup limit. Therefore, you should use a flattened SPF record as a workaround. Also, you can reduce the number of DNS-querying mechanisms/modifiers to 1 by using a flattened SPF record.
The “SPF record flattening” procedure is as follows:
- Get the IP addresses for each of the DNS-querying mechanisms / modifiers used in the record by querying the DNS.
- Replace the original mechanism / modifier with the IP addresses.
The total number of DNS lookups decreases by one every time a mechanism or a modifier is replaced. When both of these mechanisms/modifiers are removed, the total count drops to one since only the topmost SPF record needs a DNS query.
The advantage to this approach is that using the SPF flattening technique, you can convert a very complex SPF record with over 10 DNS lookups into an IP address list while remaining secure.
The disadvantage, however, is that the flattened SPF record loses synchronization with the specified IP addresses, resulting in incorrect SPF authentication results if the IP addresses change. This also requires you to monitor the IP addresses and manually update your SPF records on an ongoing basis.
When you don’t have the right SPF record after optimizing it using the tips above, we suggest using a flattened SPF record as a last resort.
An alternative to SPF Flattening is EasyDMARC’s EasySPF tool which dynamically manages SPF lookups, ultimately solving the “Too many DNS lookups” issue. EasySPF enables you to automatically authorize your email sending sources, resolving the SPF “Too Many DNS Lookups” issue causing “Permerror”. Add, delete, and upgrade a large number of email service providers without the limitation of the SPF 10 DNS lookups with a single include in your SPF record.