What Is Automatic/Dynamic SPF Record Flattening and How It Fixes the SPF PermError: Too Many DNS Lookups Issue

SPF Automatic/Dynamic SPF Record Flattening SPF PermError Too Many DNS Lookups

When the SPF PermError: Too Many DNS Lookups issue strikes, your email deliverability can take a bad hit due to SPF fail. We will explain how automatic/dynamic SPF record flattening can solve this problem below.

Nowadays, more and more services are necessary to run online operations on a day-to-day basis: marketing, sales, customer support, human resources, etc. As a result, you need to include such services as SendGrid, Mailchimp, Zendesk, and more into your SPF record.

Sooner or later though, you might find that you run into the SPF PermError: Too Many DNS Lookups issue, because you've included too many services and your SPF record now consumes more than 10 DNS lookups combined.

SPF records are hierarchical

To authorize a 3rd-party service to send emails on your organization's behalf in the SPF terms, simply "include" that service in your SPF record. For example, if you use Google to deliver your emails, add Google to your SPF record:

v=spf1 include:_spf.google.com -all

From now on, your emails sent from Google's hosts will pass SPF validation, even if Google makes changes to _spf.google.com, e.g., adding more IP addresses. Such changes are transparent to you as a customer.

In other words, SPF abstracts away the underlying changes with the include mechanism.

This hierarchical nature of SPF records allows you to use a 3rd-party service by simply including that service's SPF record, without having to update your SPF record for any underlying changes in that 3rd-party SPF record.

It comes with caveats though. For those who are not too familiar with SPF, adding a seemingly simple service like below seems innocent enough:

v=spf1 include:bluehost.com -all

It looks like a perfectly valid SPF record, and your emails should gleefully pass SPF validation, right?

However, a quick check on bluehost.com reveals that this service actually contains 11 DNS lookups.

Bluehost SPF record contains 11 DNS lookups

In other words, simply including this service in your SPF record violates the SPF rule that an SPF record can contain no more than 10 DNS lookups!

This happens because the bluehost service includes other services like qualtrics.com, google.com, salesforce.com, sparkpostmail.com, and mailjet.com; and these services in turn can include even other services, pulling more DNS lookups into your SPF record.

It's a "heavy" SPF record, for sure. But in reality, it's not uncommon to come across various SPF records that contain other 3rd-party services like bluehost.com.

SPF validation works by walking through the hierarchical "tree" represented by an SPF record, and checking if any node on the tree matches the incoming IP address. Evaluating a node on the tree adds to the DNS lookup count if it's one of: a, mx, include, ptr, exists, and redirect mechanisms.

During this validation process, if the DNS lookup count goes above 10, SPF cops out and returns SPF PermError: Too Many DNS Lookups.

SPF record flattening

SPF record flattening, as the name indicates, is a process to sort of "flatten" the hierarchy in an SPF record so that the flattened record contains fewer than 10 DNS lookups. This process is sometimes called SPF record compression or SPF record optimization.

It works by walking through the SPF tree of the record, translating every tree node into one ore more IP addresses, then creating a new SPF record with these IP addresses.

For example, if an a mechanism is encountered in the record, SPF record flattening will look up the IP address of the specified host, and add the IP address to the array later used to construct the flattened SPF record.

If an mx mechanism is seen, SPF record flattening will collect all the mail servers' IP addresses of the specified host, and add them for processing later.

If an include mechanism is found, SPF record flattening will call a recursive function to flatten the child SPF record specified by the include mechanism.

Mechanism like ip4 and ip6 are added verbatim, as these don't consume any DNS lookups.

Automatic/dynamic SPF record flattening

SPF record flattening is great. However, it's static by default, meaning each time any of the 3rd-party services is changed, you'd have to run through the same SPF record flattening process and update it in the DNS. Manually. This happens all the time, and manual SPF record flattening is very tedious and DNS updating is error-prone.

Fortunately, SPF record flattening can be automated. The automated SPF record flattening process is often called automatic SPF record flattening or dynamic SPF record flattening. The "dynamic" in the name reflect the fact that the SPF record is dynamic: any change in the 3rd-party services will make it to the final SPF record.

DMARCLY's Safe SPF feature implements automatic/dynamic SPF record flattening, and it allows anyone to set this up within a couple of minutes. Once set up, you would never need to worry about violating the SPF 10+ DNS lookup issue or updating the DNS settings manually anymore!

To use Safe SPF, log in to the DMARCLY dashboard, then go to DNS Records -> Safe SPF, then follow the Safe SPF guide to set up automatic/dynamic SPF record flattening on your domain.

If you don't have a DMARCLY account yet, sign up for a 14-day free service trial.

Use Safe SPF to fix the SPF PermError: Too Many DNS Lookups issue.

How automatic/dynamic SPF record flattening fixes the SPF PermError Too Many DNS Lookups issue

Consider how SPF validation works with the new Safe SPF record. When a new email comes in on the receiving server, the server checks the return-path of the email and the return-path field is company.com.

Next the server fetches the SPF record on company.com, which is both:

  • has all the IP addresses from the original SPF record;
  • consumes fewer than 10 DNS lookups.

Now for each IP address in the Safe SPF record, SPF checks if the connecting host's IP address matches. If so, SPF validation passes. If no matching IP address is found, SPF validation fails.

To sum up, SPF validation works the same with a Safe SPF record as it does with a "vanilla" SPF record. A Safe SPF record is an SPF record after all.

Note that automatic/dynamic SPF record flattening keeps the best of both worlds: the flattened SPF record still contain the IP addresses in the original SPF tree, while keeping a DNS lookup count under 10.

Automatic/dynamic SPF record flattening FAQs

Why am I seeing Google's IPs in my flattened SPF record even I didn't include Google's SPF record?

As SPF records are hierarchical, some services in your original SPF record can contain Google's SPF record. During the SPF record flattening process, Google's SPF record was found, flattened, and added to the IP list.

For example, if your original SPF record includes bluehost (bluehost.com), your flattened SPF record will contain Google's IP addresses since bluehost.com's SPF record includes Google's.

With automatic/dynamic SPF flattening, do I need to manually update the SPF record whenever there is any underlying change?

No. Since automatic/dynamic SPF flattening happens every few minutes, any underlying change will make it to the Safe SPF record.

How do I add new services to my Safe SPF record?

Refer to this article.

Chinese version

Previous Post Next Post

 Protect Business Email & Improve Email Deliverability

Get a 14 day trial. No credit card required.

Create Account