People sometimes run into the “too many DNS lookups” error when rolling out SPF (Sender Policy Framework). It doesn’t help that there is a lot of bad guidance on the Internet. This article describes how to fix this issue.
SPF ships with a built-in limit to the number of “DNS-querying mechanisms” that a set of SPF records can contain. That limit is 10. Those mechanisms are:
Most commonly, people run into the “too many DNS lookups” error due to using a lot of “include” mechanisms. For example, if a domain is using Google Apps, then Google’s own SPF record automatically takes up 4 of the 10 allowed DNS-querying mechanisms:
A lot of services on the Internet will ask an email domain owner to add their service into an SPF record. Unfortunately, adding such services usually doesn’t do anything due to confusion around how SPF works.
The trouble is that SPF checks the envelope domain of an email, and more often than not, the service that asks to be included into a domain’s SPF record isn’t even using that domain in the envelope address. We’ve published a short video on how SPF works.
There is a twist. Even if the Internet service is using your own domain in the envelope address of the email they’re sending on your behalf, if email delivery fails for whatever reason and a bounce message needs to be sent (eg: “bad address!” or “recipient’s mailbox is full!”), that bounce message will be sent to your own domain’s email server — and not back to the Internet service.
Not being able to receive bounces is bad, which is why we wrote how Internet services can send better email on behalf of others.
To find out which unnecessary services can be cut out of your SPF records, dmarcian will cross-reference your domain’s DMARC feedback data with your domain’s SPF record. If you’re logged into a dmarcian account and DMARC feedback is present, the SPF Surveyor will be able to show you which parts of your SPF record are actively being used.
If you’re still stuck, feel free to contact us and we’ll take a look.