SPF Records causing too many DNS lookups

3

I'm just setting up SPF records on our DNS server and have run into the problem that there are too many DNS lookups occurring.

My SPF records include the mail server (outlook), Mailchimp (for email campaigns), Zendesk (our helpdesk system), sendgrid (for mailing from our web services), and Xero (our accounting software).

Given that this is far too many - am I better off just not listing any SPF records at all, rather than providing one which is too long?

Is there any way to get around this 10-lookups-only limit, or something that i can use that supercedes SPF?

henrypootel

Posted 2013-08-06T22:15:07.167

Reputation: 31

Answers

2

In order to get around the 10 query limit, you can either try to reduce the number of includes or use subdomains for each type of your email communication and only use the respective includes on each subdomain.

Alternatively you can try to flatten your includes into a static list of IP addresses. Try for example https://github.com/0x9090/SPFlatten - the problem with that approach is, that whenever one of your providers add / remove / change the IP addresses, your flattened record will be outdated and you run into emails not being delivered.

Your last resort is to go to a commercial service, like SPF Guru they gather a list of authorized IPs from all of your includes, create an 'exists' mechanism and keep the whitelist constantly updated. SPF monitoring helps you to track your senders. Full disclosure: I work for SPF Guru.

SPF Guru

Posted 2013-08-06T22:15:07.167

Reputation: 21

1

The 10 lookup limit is a limit for DNS lookups. Flattening the SPF record to include less DNS lookups and substituting them for IPs (flattening) is a way to get around the limit.

You could do this manually, but then you have to update your SPF records every time one of the providers changes their IPs (which happens frequently).

The ideal solution is to use an SPF flattening service. This one is free for low volumes, or cheap for more than 500 emails/month. It regularly polls the SPF records you want to include for updated IPs.

Fraudmarc.com

Disclosure: I am not associated with this company and this is not a referral link

Gaia

Posted 2013-08-06T22:15:07.167

Reputation: 4 549

0

Manually "flattening" SPF records might work at first, but if the hard-coded IP addresses change (which is reasonable enough), some automated SPF record flattening services go a long way.

For example, Dmarcly (https://dmarcly.com) has a feature called Safe SPF, which automates SPF flattening for you. It keeps checking the underlying IP addresses, and if there is any IP change, Dmarcly picks it up and updates the flattened record. This way, there is no more outdated IP address, and of course, one will never run into the too-many-dns-lookups issue. In addition, you don't have to do anything manually!

shoorlyne

Posted 2013-08-06T22:15:07.167

Reputation: 1

Asked: 2013-08-06T22:15:07.167

Viewed: 784 times

Active: 2018-11-10T00:26:01.610