What should you do if your SPF record has exceeded the limit of 255 characters?

If you have just started with SPF implementation for your domain, your SPF record can run into multiple technical issues since there are many limitations and rules involved in creating and managing it. One such rule is that the length of the SPF record should not exceed 255 characters. You can address this issue by splitting your SPF record into multiple parts or using techniques to optimize it. It can be a bit complicated to do it, so don’t hesitate to reach out for professional help. 

Per RFC 7208, SPF evaluation is capped at 10 DNS mechanism lookups and 2 void lookups per check — exceeding either limit produces a PermError that fails authentication for every message from the domain.

Here’s how the issue can be fixed.

1. Combine multiple SPF records

If there are multiple SPF records existing for your domain, it’s a violation. Fix it by consolidating all the SPF entries into a single record using the ‘include’ mechanism. For example- Combine entries like include:service1.com and include:service2.com into one SPF record.

2. Use multiple strings in a TXT record

DNS allows TXT records to have multiple quoted strings that collectively exceed 255 characters. For example:

v=spf1 include:service1.com include:service2.com " "include:service3.com -all

The DNS server will treat this as a single SPF record.

3. Optimize your SPF record to reduce the size

To start with the optimization process, simply remove all the unnecessary and redundant ‘include’ mechanisms. Then, replace domains with direct IP ranges; this reduces the characters as well as the number of DNS lookups. Finally, check if there are any excessive mechanisms like ‘a,’ ‘mx,’ or ‘ptr.’

4. Leverage subdomains

If your SPF record is too large and none of the above techniques seem to work for it, then delegate email sending for specific servers to your subdomains. If you don’t have a subdomain, create one and move some SPF mechanisms to it. Add an ‘include’ for the subdomain to your primary SPF record.

5. Use SPF flattening tools

SPF flattening tools like the one from AutoSPF fix the character-limit issue by combining ‘include:’ entries into a single entry with direct IP addresses. By doing so, there is no more need for additional DNS lookups. Please bear in mind that flattened SPF records need regular updates if the IPs of included services change. 

6. Test your SPF record and monitor for changes

Once you are within the character limit, run your SPF record through a credible online SPF lookup tool. This tool will tell you if there are any other errors in your SPF record. If any other issue is detected, fix it before it becomes an exploitable vulnerability for threat actors. 

Lastly, keep track of updates from email service providers, as their required SPF entries can change. 

Technical note

While making an effort to stay within the character limit, remember that SPF also has a DNS lookup limit of 10. Exceeding this limit will result in SPF failures, even if the record size is within limits. Optimize DNS lookups alongside character count to ensure smooth email authentication.

By following these steps, you can address SPF record size issues while maintaining email security and compliance.