The SPF record exceeds the 10 DNS query limit, which results in deteriorated email deliverability. Use DMARCLY’s Safe SPF feature to fix this issue.
This error is generated by your SPF record referring more than 10 times to look up a DNS record while resolving your SPF record. You can look around the web a bit more for why this limit is in place, but you need to know that if you SPF record fails with these types of messages when testing, that the entire SPF record is technically invalid and will be ignored.
What Causes Troubles
There are many misconfigured service providers that themselves use multiple SPF records that all require reference and subsequently DNS lookups. I have encountered a recently that I am sure in their own minds have a need to have shitty configurations for SPF, but in reality show just how amateur they are at providing services for there users.
1. Xero.com
2. mailchannels.net
3. Bluehost.com
Let’s take Bluehost.com as the prime example. If you go to: check their domain with the dmarcly tool. You get something like this:
Warning!
We have found some issues.
v=spf1 include:spf2.bluehost.com include:_spf.qualtrics.com include:_spf.google.com include:_spf.salesforce.com include:sparkpostmail.com include:spf.mailjet.com -all 11 DNS queries
Tip
The SPF record exceeds the 10 DNS query limit, which results in deteriorated email deliverability. Use DMARCLY’s Safe SPF feature to fix this issue.
And you can see down the page that the resolution of their SPF record lists the 11 DNS resolutions that it needs to complete the list.
That is just crap. Their own DNS record is invalid, and they tell users to add “include:bluehost.com” to their own SPF record. This means that anyone who does this will instantly invalidate their own SPF record.
Xero.com is a similar lookup. Although it does not fail on it’s own, it does require 9 DNS lookups of your 10 allowable on its own. So if you add it to the end of your own SPF record as they suggest, it will almost certainly cause the failure of your SPF record.
This is really terrible practise for these companies and shows just how average they are at understanding how others use their services.
How it should be done.
Companies like Amazon with their AWS services and in particular their SES service requires that you add a SFP include: amazonses.com to your record. If you look at the result of the lookup in our domain name: interactivewebs.com.au you will see this:
And you can see that the set of IP addresses they have only uses 1 DNS lookup. It has a bunch of IP addresses but only one DNS lookup to resolve them.
This is how other service providers like xero.com should configure their own SPF records. Is is just slack that they have not.
How to Solve DNS Lookup Limit of 10 for SPF records.
You can actually do this easily yourself with your own DNS server, but you may need to update the record from time to time.
Let’s take xero.com as a typical example. The general suggestion is to add “include:xero.com” to your own SPF record.
So in our example for a client we are playing with currently, we end up wanting their SPF record to look like this:
v=spf1 mx a ip4:199.91.68.129/24 include:relay.mailchannels.net include:xero.com -all
Only that fails the 10 lookup DNS limit because both xero with it’s 9 DNS lookup and relay.mailchannelt.net with their 3 DNS lookup will equal 11 before the few lookups we need for other reasons. The total becomes 16 DNS lookups.
What we do to resolve it is to take the 9 DNS lookups from xero.com and flatten them into IP addresses. To do this we go to our tool here.
Enter “xero.com”
And scroll to the bottom where it lists the “flattened SPF Record”
And we want to copy that into our own DNS Domain Text Record.
Basically create a text record like you were creating your own domain name SPF. But call it “xero”. The example below is in the cPanel Zone Manager for the domain projectcentre.com.au – and we added a text record called: xero.projectcentre.com.au as below.
Then we pasted all that junk above into the Text Value, and saved it to look something like this:
So now, if we change the “include:xero.com” to the new record of “include:xero.projectcentre.com.au” we will be looking at the exact same IP address lookup information that the look for xero.com will give us.
It should be noted that if xero.com decide to update their server list to some entirely new IP addresses that this may well stop working, and we would have to do the process again. But in all likelihood they will not change it that often that we should care.
Again I must say that it is really disappointing that these companies have not done the exact process we are using here, as they could be publishing things the way amazonses does. Correctly.
Unfortunately if you do this and your hosting provider changes some of the mail servers they intend to use, you won’t know and will start missing mail. I don’t see there is any good solution really.
Everything looked great until I pasted it into the record and got the error message, “Text record exceeded the maximum of 1024 characters.” Any way around this?
Awesome post. Just running into this issue and Safe SPF fixed this issue perfectly!
Glad it helped you David.
Unfortunately if you do this and your hosting provider changes some of the mail servers they intend to use, you won’t know and will start missing mail. I don’t see there is any good solution really.
I just tried this for Intuit – intuit.com. The flatted spf exceeds 1024 characters and I cannot enter it into my DNS record. 🙁
Everything looked great until I pasted it into the record and got the error message, “Text record exceeded the maximum of 1024 characters.” Any way around this?