The SPF standard needs that any SPF record must comply with the 10-DNS-lookup limit. It means any SPF record that causes above 10 DNS queries is not valid, and any try to authenticate SPF for an email from the domain will direct to an error.

The “a”, “include”, “mx”, “ptr”, and “exists” mechanisms and the redirect modifier do count against this limit. The “all,” “ip4”, and “ip6” mechanisms don’t need DNS lookups and, thus, do not count against the 10-DNS-lookup limit.

In this writing piece, we will discuss how you can optimize a bloated SPF record to make the SPF authentication pass. It mainly concerns delivery services who send emails for their clients and ask their customers to incorporate an SPF record to their domain’s DNS. But it can also be beneficial to senders publishing their SPF records.

Avoid Expensive SPF Mechanisms

Re-think about using the “MX” mechanism. It makes an SPF record look effortless. However, it always triggers a DNS lookup that counts against the 10-DNS-lookup limit.

Rather than “MX,” consider the “ip4” and “ip6” mechanisms to list from the IP address your host and MX send emails. Although your SPF record will look longer, it will be much smaller from the viewpoint of DNS queries, as a single “MX” mechanism charges more than 20 “ip4” mechanisms.

Likewise, avoid the “a” mechanism as it can also be replaced with “ip4” or “ip6”.

Do not utilize “ptr” as the current SPF RFC deprecates them.

Verify The IP Addresses

If you have so many “ip4” and “ip6” mechanisms, ensure they are not too much. Are there any IP addresses that you’re not utilizing? Are there any IP address ranges that combined? For example, “ip4:x.y.z.5/24” and “ip4:x.y.z.4/24” can be swapped with “ip4:x.y.z.4/23”.

CIDR blocks originated from IP address ranges can occasionally give very ineffective representations. IP range (10.11.12.1-10.11.12.254) requires 14 “ip4” mechanisms to represent accurately. Instead, you can utilize the single mechanism “ip4:10.11.12.0/24”, even if you are not sending any email message from the .0 or .255 addresses.

You do not require a “~all” or “-all” at the end of a TXT record that only incorporated in another SPF record, not used directly. It won’t do any damage, but it eats some of the characters.

Split Your SPF Record

An SPF record can contain one and more than one strings of text, and each string can contain no more than 255 characters. An SPF checker will take all of them in a TXT record and tie them together before it begins looking at the content. So, you can have above 255 characters in the SPF record by dividing it into more than one string.

However, keep your DNS packets below 512 bytes long. Count the DNS overhead for an answer that contains a single TXT record with two strings, which is about 34 bytes, then include the length of the hostname that’s being queried. So, to fulfill the 512-byte limit, you require to cut your SPF into pieces of no above 478 minus the length of the hostname.

After that, you need to disrupt that SPF data into two different strings. Because they will be bonded with no white space added, so you need to add some space at the bottom of the first string or the beginning of the second string.

Leave a Reply

Your email address will not be published. Required fields are marked *