SPF Records and Too many DNS lookups

Question

It's been suggested to me that I configure SPF records for my domain and I have done so. I use gsuite for email and have mx records properly configured to send mail via gsuite. My web app sends emails via Sendgrid's API and I also use Mailchimp for marketing emails.

I believe the following is the correct TXT record:

"v=spf1 a mx include:_spf.google.com include:sendgrid.com include:servers.mcsv.net ~all"

However, I have done a few tests which tell me that record includes too many DNS lookups. What's the best course of action here?

Possible duplicate of [Office365 SPF PermError: Too many DNS lookups](https://serverfault.com/questions/590072/office365-spf-permerror-too-many-dns-lookups) — Gerald Schneider, Jul 31 '18 at 14:26
Beware of `a` and `mx` in SPF records. They only work reliably if the domains covered by them are dual stack. — kasperd, Aug 04 '18 at 11:49

score 4 · Answer 1 · answered Jul 29 '18 at 13:06

As you're aware, SPF records are limited to 10 DNS lookups. If they result in more than that, the record fails with a permerror.

Here is the problem:

include:sendgrid.com

This is for Sendgrid's own internal corporate mail. It has its own large set of includes and results in quite a few DNS lookups.

This is not what you were supposed to use. Sendgrid customers are supposed to add to their SPF record:

include:sendgrid.net

Note net, not com. This should reduce your DNS lookups below 10 and get you a working (and mostly correct) SPF record.

P.S. I say mostly correct because your record ends with ~all, which should be changed to -all after you're finished testing the record. The ~all makes the entire record useless for actually stopping forged mail.

score 4 · Accepted Answer · answered Jul 29 '18 at 13:06

First of all, if you are using Sendgrid's services, you should include the record at sendgrid.net (intended for this purpose), not sendgrid.com (appears to reflect what mail services Sendgrid the company themselves use, including things like Google Mail).
Fixing that removes a handful of lookups to other things that are irrelevant to you.

Second, what does mx in your SPF record expand to?
As you include _spf.google.com in SPF, I would expect that your MX records are most likely the Google Mail inbound servers, which are entirely pointless for you to add in SPF (and adds additional lookups).

As for a, what is there at that address and does it even send mail? If yes, why not just add the IP address in SPF instead of an indirect reference?

Hi Håkan, I am thinking now I do not need the a record, the application doesn’t send mail itself (only via the Sendgtif API), is that correct? I’ll remove the mx keyword as well. — Jayson Lane, Jul 29 '18 at 14:14
@JaysonLane If the host with the corresponding address only sends mail via Sendgrid, there's no need to allow that host itself. — Håkan Lindqvist, Jul 29 '18 at 15:23

SPF Records and Too many DNS lookups

2 Answers2