Sender Policy Framework (SPF) DNS lookup limitations

The Sender Policy Framework (SPF) specification limits servers to a maximum of 10 DNS lookups to fully resolve an SPF record. This limitation was put in place to help prevent denial of service (DoS) attacks, but could cause problems for users recklessly using the include modifier.

This information can be found in section 10.1 of the SPF RFC specification:

SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier. If this number is exceeded during a check, a PermError MUST be returned. The "include", "a", "mx", "ptr", and "exists" mechanisms as well as the "redirect" modifier do count against this limit. The "all", "ip4", and "ip6" mechanisms do not require DNS lookups and therefore do not count against this limit. The "exp" modifier does not count against this limit because the DNS lookup to fetch the explanation string occurs after the SPF record has been evaluated.

To test if your SPF record is validating, we recommend using a site like the SPF Record Testing page at kitterman.com/spf/validate/html.

Have more questions? Submit a request