We’ve got fantastic new functionality to share with you! Users of Valimail Monitor will notice a new column called SPF Lookup in their list of domains.
This column highlights the number of domain name service (DNS) lookups in the Sender Policy Framework (SPF) email authentication record for your domain, showing you whether or not your SPF authentication configuration contains too many links to additional providers.
Why this matters: SPF limitations
The specifications governing SPF email authentication (RFC 7208) restrict the number of separate DNS lookups allowed to be performed. No more than ten DNS lookups are allowed when parsing the SPF authentication record for your domain. Why? From section 4.6.4 of the governing Request For Comments (RFC) documentation:
Some mechanisms and modifiers (collectively, “terms”) cause DNS queries at the time of evaluation, and some do not. The following terms cause DNS queries:
- a
- mx
- ptr
- include
- exists
- redirect modifier
SPF implementations MUST limit the total number of those terms to 10 during SPF evaluation, to avoid unreasonable load on the DNS. If this limit is exceeded, the implementation MUST return “permerror.”
What drives unreasonable load on the DNS regarding an overstuffed DNS record? Most commonly, including too many “includes” in your SPF record. When configuring a new sending service to send properly authenticated messages using your email domain, it is nearly guaranteed that the service provider will instruct senders to add a little bit of text to their SPF record in DNS, usually along the lines of something like “include:valimail.com,” meaning the word include, followed by a reference to another domain or hostname. This “include mechanism” takes up one (or more) of those allowed DNS lookup slots.
If your company uses five, ten, or fifteen different service providers (email service providers, marketing automation tools, CRM or resource management tools, and other platforms that send mail), the IT manager taking care of DNS for your email domain name has probably been asked to add an “include mechanism” to your domain’s SPF record for each one of those services.
Include mechanisms tell receiving mailbox providers to follow the “include” link and look up the additional SPF results found in the other domain or hostname referenced. They can be (and often are) nested. This means looking up the details of the entries inside of one “include mechanism,” which can lead to even more of those mechanisms under the hood. As before, each one of them takes up one (or more) of those valuable DNS lookup slots.
And those mechanisms can change and increase! Marketing automation or customer relationship management (CRM) platforms regularly update their SPF record, including as their infrastructure changes and grows. Seven SPF lookups today could end up being eleven SPF lookups tomorrow.
Too many lookups, too many problems
SPF fumbles can result in otherwise legitimate mail getting blocked. Per the SPF specification, inbox providers are supposed to fail SPF checks when they encounter too many (more than ten) DNS lookups. A few providers try to be kind and won’t always fail on that condition, but that’s not the case across the board, and you are much more likely to have email authentication (and deliverability) issues if your SPF record isn’t able to pass the ten DNS lookup challenge successfully.
Valimail’s patented Instant SPF functionality for Valimail Enforce users takes care of this type of SPF issue for you automatically, ensuring that the results provided in response to SPF lookup queries never exceed the ten response limit. (And this isn’t SPF Flattening, which comes with its own set of problems that you’ll want to avoid.)
But if you’re not a Valimail Enforce user, and you’re wondering if you have an SPF problem that Instant SPF functionality would help address, this is how you can tell: That new “SPF Lookup” column breaks down the number of DNS lookups used for the SPF record for each of your email domains. You can click on the number to see more details about that particular SPF record.
Try it for free today
Start your Domain-based Message Authentication, Reporting, and Conformance (DMARC) journey today! Valimail Monitor is free and will help you identify all your sending sources, gain insight into phishing and spoofing, identify email authentication issues, and more!
