Why can’t you grab tickets when you travel on holiday?Reveal the key technology of 12306 how to ensure the ticket is not oversold>>>
“SPF permerror: too many DNS lookups” is a common error in many SPF implementations. When SPF 10-dns lookup limit is exceeded, SPF permerror, SPF permanent error, will be returned. SPF permerror may affect your email delivery capability
This paper explains what SPF 10-dns lookup restrictions are, what SPF records and their related consequences are, and how to use dmarcly’s secure SPF function to solve this problem
SPF PermError: too many DNS lookups
When setting SPF on the domain, sometimes you will encounter SPF permanent error of “SPF permerror: too many DNS lookups”. This can be seen on e-mail servers with SPF compatible support, as well as in the online SPF record checker
How does dmarc explain “SPF permerror: too many DNS lookups”
When “SPF permerror: too many DNS lookups” is returned during SPF check, dmarc regards it as a failure because it is a permanent error, and all SPF permanent errors are interpreted as failures by dmarc
what is SPF DNS lookup restriction
According to the official RFC specification document rfc7208:
The SPF implementation must limit the number of DNS lookup mechanisms and modifiers to a maximum of 10 per SPF check, including any lookup caused by using the “include” mechanism or the “redirect” modifier. If this number is exceeded during the check, permerror must be returned“ The “include”, “a”, “MX”, “PTR” and “exists” mechanisms as well as the “redirect” modifier do account for this restriction“ The “all”, “IP4” and “IP6” mechanisms do not require DNS lookup, so they are not included in this restriction
In other words, the SPF specification requires that the number of DNS lookup mechanisms and modifiers should not exceed 10 per SPF, including any lookup caused by using the “include” mechanism or the “redirect” modifier. Otherwise, SPF permerror will be returned, more specifically, “SPF permerror: too many DNS lookups.”
This restriction is imposed on the receiving e-mail server. Here are some popular SPF packages that implement this limitation:
libspf2
Mail::SPF
Mail::SPF::Query
pyspf
Why is SPF DNS lookup restricted
Why is this seemingly artificial restriction?Well, it turns out that the 10-dns lookup restriction is implemented to prevent denial of service (DOS) attacks. Consider this scenario:
Malicious users create SPF records on domain malicious websites, many of which refer to another domain, victim.com
Then he sent a lot of e-mails from malicous.com to e-mails hosted by different e-mail service providers (ESP), and implemented SPF
After receiving such e-mail, esp will query victim.com in DNS
Because many ESPs are involved, they amplify the traffic; This effectively becomes a DoS attack on victim.com
More importantly, the real source of the attack is hidden
As you can see, if you are not careful, you can use very innocent email authentication mechanism for malicious use! Although the consequences may be serious, the solution to this problem is simple: limiting the maximum number of DNS lookups per check on the ESP side can greatly reduce it, because the amplification limit is 10, not possibly more
does my SPF record exceed the SPF DNS lookup limit
You can use our SPF record lookup tool to check your SPF DNS lookup count. In addition to basic information about SPF settings in the domain, the number of DNS query mechanisms/modifiers is also displayed. The following is the result of SPF check on microsoft.com. The number of SPF DNS lookups is exactly 10:
I suggest you do a similar check on your domain name to see what the number is
what happens if the SPF DNS lookup limit is exceeded
When the SPF implementation on the receiving e-mail server encounters more than 10 DNS query mechanisms/modifiers in the SPF record of the sender’s domain, it will return “SPF permerror: too many DNS lookups”. As mentioned above, dmarc interprets SPF permerror as a failure, so the e-mail may not fall into the in tray, depending on the settings of the e-mail server
So the best way is to record & lt; in your SPF= The DNS query mechanism/modifier is reserved in 10
But I can’t. There are a lot of things in my SPF record
As far as I know – almost every company now outsources basic services to third-party service providers, such as e-mail delivery, marketing, etc. Add a limit of 1 for each service in the record. If they further include DNS query mechanism/modifier, it will soon reach/exceed the limit
SPF record flattening
But there is a simple solution to this problem. By “flattening” SPF records, the number of DNS query mechanisms/modifiers can be reduced to 1, far below the limit
This is the working principle of “SPF record flattening”: for each DNS query mechanism/modifier, query DNS to get the IP address, and then replace the original mechanism/modifier with the IP address. After replacing all such mechanisms/modifiers, the total count becomes 1 – only the topmost SPF records need DNS query
With this SPF record flattening technique, you can convert very complex SPF records with more than 10 DNS query mechanisms/modifiers into a “flat” IP address list and stay comfortable in the “safe zone”
Let’s see what a flat SPF record looks like. Here are the IP addresses for flattening SPF records on microsoft.com:
As you can see, this flat SPF record contains the same IP address as the original SPF record on microsoft.com, but it has no DNS query mechanism/modifier
Is the problem solved?Well, not yet
What if one of the IP addresses containing the mechanism changes?This means that flat SPF records are now out of sync on these IP addresses, which will produce incorrect results in SPF authentication
Of course, you can manually compress the SPF record again and update it in DNS. Needless to say, it’s cumbersome and error prone, not to mention that you have to monitor it all the time
The good news is that dmarcly has a feature called “safe SPF”, which is specifically designed to solve this problem
use safe SPF to solve this problem
Using safe SPF, kill two birds with one stone: always keep the DNS query mechanism/modifier of SPF record to 1, and don’t worry about manually flattening SPF record and updating it in DNS
This is safe SPF:
As can be seen from the above, the security SPF is activated on the specified domain
After activating secure SPF on domain:
The security SPF record contains the same IP address as the original SPF record
The security SPF record has no DNS query mechanism/modifier
When the underlying IP address changes, it is always updated
You don’t have to maintain it manually
This article is translated from SPF permerror: too many DNS lookups. When SPF record exceeds 10 DNS lookup limit
Similar Posts:
- How to find real IP in CDN
- Troubleshooting of JavaMail “535.7.3 authentication unsuccessful”
- [mailbox usage] POP3, SMTP activation and setting method of Yahoo mailbox
- Solution to the cache problem of JVM DNS
- Workaround for “could not retrieve mirrorlist” during Yum installation
- Nginx report 500 internal server error
- With check option in SQL
- linux: How to Remove You have new mail /var/spool/mail/root
- JavaMail uses 163 mailbox to report 535 error: authentication failed
- LoadRunner Community Edition 12.60 failed to obtain community license