SPF is a sensitive email authentication protocol; it requires all details to be correct to produce accurate authentication results. You can’t miss adding new IP addresses and mail servers, or you can’t afford a tiny typo; otherwise, even genuine emails can get marked as spam or rejected.
It’s important to regularly run your SPF record through an online SPF lookup tool. Such a tool fetches and evaluates your SPF record for correctness, listing any issues found. This blog outlines the common SPF issues encountered during SPF evaluation, whether performed manually or using a lookup tool.
1. Exceeding the DNS lookup limit
As per RFC, only 10 DNS lookups are allowed per domain, and every instance of ‘a,’ ‘mx,’ ‘ptr,’ ‘redirect,’ and ‘include’ is counted towards this limit. That’s why it’s very common for SPF records to reach this limit, especially if the company has too many employees and vendors, resulting in a complex email infrastructure.
This limit exists to prevent abuse and maintain efficient email delivery. Now imagine if there were no limit on how many DNS lookups a single SPF check could trigger. The following issues would arise then:
- Some SPF records could generate dozens or hundreds of lookups.
- It would significantly slow down mail delivery and put an unnecessary load on DNS servers.
- It would ultimately open the door to Denial-of-Service (DoS) attacks via DNS amplification.
How to resolve?
To keep your SPF record clean and sorted in terms of DNS lookups, start by removing any entries that you no longer use; they could belong to an ex-employee or vendor you have cut ties with.
Apart from this, do these two things-
- If a service gives you a fixed set of IP addresses, it’s better to add those directly using ‘ip4’ or ‘ip6’ instead of using the ‘include’ mechanism.
- If you’re using several different services to send email, consider moving some of them to subdomains, like marketing. yourdomain.com, and set up separate SPF records for each.
If you still find it challenging to bring back your SPF record within the lookup limit of 10, then simply use our automatic SPF flattening tool. It will fix things for you.
2. Existence of multiple SPF records
There should only be one SPF record per domain; otherwise, the recipients’ email servers will not understand which one to refer to, leading to contradictions and wrong instructions. In some cases, the existence of multiple SPF records causes email servers to reject the SPF check completely, even if all of them are correctly configured.
How to resolve?
To prevent this error, regularly check your SPF record and make sure all your entries are combined into one TXT record. This helps you include all your email senders without breaking any SPF rules.
3. Wrong use of SPF
Macros are special placeholders (like %{i}, %{d}, etc.) used in SPF to insert dynamic values, such as the sender’s IP or domain, at the time of checking.
They’re mostly used in the exp= (explanation) or redirect= fields—but if you’re not careful, they can mess things up. Attackers could exploit badly configured macros to sneak in unauthorized servers. For example, if %{d} expands unexpectedly, it might authorize a malicious domain you didn’t intend to include.
How to resolve?
Try skipping the macros altogether; if you must use them, stick to the ones explicitly allowed by SPF. Ensure there is no typo and that they are used in the correct format.
4. Using the obsolete PTR mechanism
It’s highly discouraged to use the PTR mechanism because it’s outdated, unreliable, and can even break your email system. The PTR check tries to verify if the sending IP address maps back to a domain name, and then checks if that domain name matches the one in your SPF record. But reverse DNS (which PTR relies on) is slow, can be spoofed, and isn’t consistently configured across mail servers.
How to resolve?
Go ahead and use safer and more efficient mechanisms like ‘ip4,’ ‘ip6,’ or ‘include’ with trusted services. These are faster, reliable, and work better with advanced email systems, helping improve email deliverability.
5. Missing a legitimate sending source
An extensive SPF record includes the sending sources of your web host/ website server, your email service provider, third-party email service providers, CRM and sales tools, customer support platforms, transaction tools, invoice systems, and other internal systems. If you forget adding any of the genuine senders to your SPF record, emails sent by them will get flagged.
How to resolve?
Enlist all the sending sources and cross-check with your SPF record. If you’re unsure whether a service sends mail on your behalf, check your DMARC reports; they’ll show which sources are failing SPF alignment and may need to be authorized.
AutoSPF to the rescue!
We at AutoSPF can help you if your SPF record is having trouble staying within the lookup limit. Contact us to know how our automatic SPF flattening tool works.
