2

SPF allows up to 10 DNS calls. We use multiple email providers and overall get 13 DNS calls for SPF.

The solutions I've found so far:

  1. Manually collecting and "inlining" the IP addresses to reduce DNS lookups. Unfortunately this makes the entry static and will not be up-to-date when providers update their SPF records.

  2. Creating subdomains for one/few of the SPF providers - won't work for business reasons.

  3. Using an "SPF proxy" - I found only spfproxy.org (now defunct?) and I'm afraid to use them because I can't find who is behind it and they don't answer emails.

What options do I have? Ideally a solution like spfproxy which I can trust would work for me but I could not find any.

Simon East
  • 1,484
  • 1
  • 14
  • 18
Niro
  • 1,371
  • 3
  • 17
  • 35
  • What spfproxy does doesn't sound very complicated, have you considered implementing the same on your own DNS server? – kasperd Sep 01 '16 at 21:18
  • I use scalr DNS servers. I dont operate them. – Niro Sep 02 '16 at 13:24
  • See also [Workarounds for maximum DNS-Interactive terms limit exceeded in SPF record?](http://serverfault.com/questions/716438/workarounds-for-maximum-dns-interactive-terms-limit-exceeded-in-spf-record) and [PermError SPF Too Many Lookups and Reduction](http://serverfault.com/questions/603797/permerror-spf-too-many-lookups-and-reduction) – Simon East Mar 19 '17 at 23:08

1 Answers1

5

  1. Does your SPF use the mx mechanism? (e.g., v=spf1 mx include:spf.example.com ip4:192.0.2.1 -ALL) as the mx mechanism adds lookups that are almost always redundant but you can verify that. You might be able to fix your SPF by removing the mx mechanism.

  2. Use an SPF Minimizer to get a more efficient SPF record.

Note: could you post your SPF record here?

Neil Anuskiewicz
  • 431
  • 1
  • 3
  • 15
  • Thanks for the advice about removing mx. it reduced from 13 to 12 DNS calls. A step forward. Re SPF minimizer - Im checking this option – Niro Sep 02 '16 at 08:58
  • The original spf is v=spf1 a mx include:_spf.salesforce.com include:spf.mail.intercom.io include:_spf.google.com include:spf.mandrillapp.com ~all removing mx brings down to 12. spf.mail.intercom.io can be minimized to spf1.mailgun.org and spf2.mailgun.org so I'm with 11 DNS queries. Now I'm stack. minimizing more causes the spf entry to be longer than 255 characters which is also forbidden – Niro Sep 02 '16 at 11:17
  • do you have a dedicated IP address or even range of IP addresses from which you send emails through mailgun? If so, you could move from include to ip4 and get down to 10 or fewer lookups. One more lookup!! – Neil Anuskiewicz Sep 11 '16 at 07:24
  • Niro - You're not going to leave us hanging when you're 11 DNS queries! That's like torture for a DNS nerd like myself. Any more progress or are you throwing towel? – Neil Anuskiewicz Sep 17 '16 at 18:23