Skip to main content

What is the consequence of SPF error 'Too many lookups'? [Resolved]

I am adding a domain (xero.com) to our existing SPF record, to allow marketing emails to be sent from an external system and appear as if they are from us.

The SPF record for xero.com is large and including it would take our own SPF record over the 10 lookup limit, resulting in error Permanent Error: Too many DNS lookup

This is unfortunate, but what effect if any does this error actually have (for both hard and soft fail)? Will it prevent any mail being sent, or allow all, or just ignore this included domain?

In addition to this, we advise some of our clients to include our domain in their SPF records so we can send mail on their behalf.

Could increasing the included domains on our SPF record have a negative impact on theirs?

Conversely, if I get round this problem by setting our SPF record to v=spf1 +all to allow everything, could this also have an undesired effect for our clients that might use our domain in their SPF record?


Question Credit: userSteve
Question Reference
Asked August 18, 2019
Posted Under: Network
31 views
3 Answers

Stop that right now! :)

1) never give customer's your SPF record for your marketing, Always use a subdomain.

_spf.example.com for example, are IP ranges you control and provide to customer's.

2) limit your exposure or remove SPF entirely. +all (in practice is likely ignored) says you authenticated all IP ranges, whereas ?all is much safer.

3) marketing systems don't need your business email domain. If you're going to have multiple marketing backends you should have multiple subdomains. Typically they (ESPs) push for this, sg.example.com for sendgrid, mg.example.com for mailgun, etc...

4) remove redundant lookups, aand mx are likely addresses you know.


credit: Jacob Evans
Answered August 18, 2019

The SPF specification requires that the number of mechanisms and modifiers that do DNS lookups must not exceed 10 per SPF check, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier. Otherwise, an SPF PermError, more specifically "SPF PermError: too many DNS lookups", is returned.

The "SPF PermError: too many DNS lookups" issue is interpreted by DMARC as fail. Therefore, when your SPF record falls foul of this limit, and DKIM also fails, your emails will fail DMARC authentication, which means your emails are not properly authenticated and might not reach the inbox.

I've created a blog post on this topic: SPF PermError: too many DNS lookups


credit: Gangcai Lin
Answered August 18, 2019
Your Answer
D:\Adnan\Candoerz\CandoProject\vQA