How To Fix – SPF Too many included lookups Failure

Screen Shot 2020 09 14 at 18.39.49 1

The Solution to the 10 DNS Query Limit with SPF records.

How To Fix – SPF Too many included lookups Failure. The problem you may have is something like this. You use a tool like our two favourite tools here:

1.

MXToolbox SPF Checker

2. DMARCLY SPF Tool

And they return the error that you have:

Too many included lookups (16)

Screen Shot 2020 09 14 at 16 55 18

Or

The SPF record exceeds the 10 DNS query limit, which results in deteriorated email deliverability. Use DMARCLY’s Safe SPF feature to fix this issue.

Screen Shot 2020 09 14 at 16 54 19

This error is generated by your SPF record referring more than 10 times to look up a DNS record while resolving your SPF record. You can look around the web a bit more for why this limit is in place, but you need to know that if you SPF record fails with these types of messages when testing, that the entire SPF record is technically invalid and will be ignored.

What Causes Troubles

There are many misconfigured service providers that themselves use multiple SPF records that all require reference and subsequently DNS lookups. I have encountered a recently that I am sure in their own minds have a need to have shitty configurations for SPF, but in reality show just how amateur they are at providing services for there users.

1. Xero.com

2. mailchannels.net

3. Bluehost.com

Let’s take Bluehost.com as the prime example. If you go to: check their domain with the dmarcly tool. You get something like this:

Warning!
We have found some issues.
v=spf1 include:spf2.bluehost.com include:_spf.qualtrics.com include:_spf.google.com include:_spf.salesforce.com include:sparkpostmail.com include:spf.mailjet.com -all 11 DNS queries

Tip
The SPF record exceeds the 10 DNS query limit, which results in deteriorated email deliverability. Use DMARCLY’s Safe SPF feature to fix this issue. Screen Shot 2020 09 14 at 17 05 19

And you can see down the page that the resolution of their SPF record lists the 11 DNS resolutions that it needs to complete the list.

That is just crap. Their own DNS record is invalid, and they tell users to add “include:bluehost.com” to their own SPF record. This means that anyone who does this will instantly invalidate their own SPF record.

Xero.com is a similar lookup. Although it does not fail on it’s own, it does require 9 DNS lookups of your 10 allowable on its own. So if you add it to the end of your own SPF record as they suggest, it will almost certainly cause the failure of your SPF record.

This is really terrible practise for these companies and shows just how average they are at understanding how others use their services.

How it should be done.

Companies like Amazon with their AWS services and in particular their SES service requires that you add a SFP include: amazonses.com to your record. If you look at the result of the lookup in our domain name: interactivewebs.com.au you will see this:

Screen Shot 2020 09 14 at 17 12 27

And you can see that the set of IP addresses they have only uses 1 DNS lookup. It has a bunch of IP addresses but only one DNS lookup to resolve them.

This is how other service providers like xero.com should configure their own SPF records. Is is just slack that they have not.

How to Solve DNS Lookup Limit of 10 for SPF records.

You can actually do this easily yourself with your own DNS server, but you may need to update the record from time to time.

Let’s take xero.com as a typical example. The general suggestion is to add “include:xero.com” to your own SPF record.

So in our example for a client we are playing with currently, we end up wanting their SPF record to look like this:

v=spf1 mx a ip4:199.91.68.129/24 include:relay.mailchannels.net include:xero.com -all

Only that fails the 10 lookup DNS limit because both xero with it’s 9 DNS lookup and relay.mailchannelt.net with their 3 DNS lookup will equal 11 before the few lookups we need for other reasons. The total becomes 16 DNS lookups.

What we do to resolve it is to take the 9 DNS lookups from xero.com and flatten them into IP addresses. To do this we go to our tool here.

Enter “xero.com”

Screen Shot 2020 09 14 at 17 23 34

And scroll to the bottom where it lists the “flattened SPF Record”

Screen Shot 2020 09 14 at 17 24 37

And we want to copy that into our own DNS Domain Text Record.

v=spf1 ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ip4:172.217.0.0/19 ip4:172.217.32.0/20 ip4:172.217.128.0/19 ip4:172.217.160.0/20 ip4:172.217.192.0/19 ip4:172.253.56.0/21 ip4:172.253.112.0/20 ip4:108.177.96.0/19 ip4:35.191.0.0/16 ip4:130.211.0.0/22 ip4:23.253.182.103 ip4:23.253.183.145 ip4:23.253.183.146 ip4:23.253.183.147 ip4:23.253.183.148 ip4:23.253.183.150 ip4:166.78.68.221 ip4:166.78.69.146 ip4:167.89.46.159 ip4:167.89.64.9 ip4:167.89.65.0 ip4:167.89.65.53 ip4:167.89.65.100 ip4:167.89.74.233 ip4:167.89.75.33 ip4:167.89.75.126 ip4:167.89.75.136 ip4:167.89.75.164 ip4:192.237.159.42 ip4:192.237.159.43 ip4:52.63.88.73 ip4:52.64.75.98 ip4:69.72.45.252 ip4:69.72.39.26 ip4:198.61.255.26 ip4:64.73.120.224/27 ip4:213.41.42.80/28 ip4:3.93.157.0/24 ip4:3.210.190.232 ip4:18.208.124.128/25 ip4:54.174.52.0/24 ip4:54.174.53.128/30 ip4:54.174.57.0/24 ip4:54.174.59.0/24 ip4:54.174.60.0/23 ip4:54.174.63.0/24 ip4:139.180.17.0/24 ip4:167.89.105.58 ip4:50.31.44.110/31 ip4:167.89.31.152/29 ip4:192.254.127.96/27 ip4:198.37.146.104/31 ip4:198.37.146.106 ip4:23.23.239.161 ip4:166.78.71.49 ip4:54.243.244.199 ip4:52.48.54.246 ip4:52.64.111.139 ~all

Basically create a text record like you were creating your own domain name SPF. But call it “xero”. The example below is in the cPanel Zone Manager for the domain projectcentre.com.au – and we added a text record called: xero.projectcentre.com.au as below.

Screen Shot 2020 09 14 at 17 26 22

Then we pasted all that junk above into the Text Value, and saved it to look something like this:

Screen Shot 2020 09 14 at 17 28 27

So now, if we change the “include:xero.com”  to the new record of “include:xero.projectcentre.com.au” we will be looking at the exact same IP address lookup information that the look for xero.com will give us.

It should be noted that if xero.com decide to update their server list to some entirely new IP addresses that this may well stop working, and we would have to do the process again. But in all likelihood they will not change it that often that we should care.

Again I must say that it is really disappointing that these companies have not done the exact process we are using here, as they could be publishing things the way amazonses does. Correctly.

Anyway. Solution found for DNS Lookup Issues

Screen Shot 2020 09 14 at 17 41 14

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *