Tag Archives: SPF PermError: too many DNS lookups

How to deal with SPF permerror: too many DNS lookups

Why can’t you grab tickets when you travel on holiday?Reveal the key technology of 12306 how to ensure the ticket is not oversold>>>

“SPF permerror: too many DNS lookups” is a common error in many SPF implementations. When SPF 10-dns lookup limit is exceeded, SPF permerror, SPF permanent error, will be returned. SPF permerror may affect your email delivery capability

This paper explains what SPF 10-dns lookup restrictions are, what SPF records and their related consequences are, and how to use dmarcly’s secure SPF function to solve this problem

SPF PermError: too many DNS lookups

When setting SPF on the domain, sometimes you will encounter SPF permanent error of “SPF permerror: too many DNS lookups”. This can be seen on e-mail servers with SPF compatible support, as well as in the online SPF record checker

How does dmarc explain “SPF permerror: too many DNS lookups”

When “SPF permerror: too many DNS lookups” is returned during SPF check, dmarc regards it as a failure because it is a permanent error, and all SPF permanent errors are interpreted as failures by dmarc

what is SPF DNS lookup restriction

According to the official RFC specification document rfc7208:

The SPF implementation must limit the number of DNS lookup mechanisms and modifiers to a maximum of 10 per SPF check, including any lookup caused by using the “include” mechanism or the “redirect” modifier. If this number is exceeded during the check, permerror must be returned“ The “include”, “a”, “MX”, “PTR” and “exists” mechanisms as well as the “redirect” modifier do account for this restriction“ The “all”, “IP4” and “IP6” mechanisms do not require DNS lookup, so they are not included in this restriction

In other words, the SPF specification requires that the number of DNS lookup mechanisms and modifiers should not exceed 10 per SPF, including any lookup caused by using the “include” mechanism or the “redirect” modifier. Otherwise, SPF permerror will be returned, more specifically, “SPF permerror: too many DNS lookups.”

This restriction is imposed on the receiving e-mail server. Here are some popular SPF packages that implement this limitation:

libspf2

Mail::SPF

Mail::SPF::Query

pyspf

Why is SPF DNS lookup restricted

Why is this seemingly artificial restriction?Well, it turns out that the 10-dns lookup restriction is implemented to prevent denial of service (DOS) attacks. Consider this scenario:

Malicious users create SPF records on domain malicious websites, many of which refer to another domain, victim.com

Then he sent a lot of e-mails from malicous.com to e-mails hosted by different e-mail service providers (ESP), and implemented SPF

After receiving such e-mail, esp will query victim.com in DNS

Because many ESPs are involved, they amplify the traffic; This effectively becomes a DoS attack on victim.com

More importantly, the real source of the attack is hidden

As you can see, if you are not careful, you can use very innocent email authentication mechanism for malicious use! Although the consequences may be serious, the solution to this problem is simple: limiting the maximum number of DNS lookups per check on the ESP side can greatly reduce it, because the amplification limit is 10, not possibly more

does my SPF record exceed the SPF DNS lookup limit

You can use our SPF record lookup tool to check your SPF DNS lookup count. In addition to basic information about SPF settings in the domain, the number of DNS query mechanisms/modifiers is also displayed. The following is the result of SPF check on microsoft.com. The number of SPF DNS lookups is exactly 10:

I suggest you do a similar check on your domain name to see what the number is

what happens if the SPF DNS lookup limit is exceeded

When the SPF implementation on the receiving e-mail server encounters more than 10 DNS query mechanisms/modifiers in the SPF record of the sender’s domain, it will return “SPF permerror: too many DNS lookups”. As mentioned above, dmarc interprets SPF permerror as a failure, so the e-mail may not fall into the in tray, depending on the settings of the e-mail server

So the best way is to record & lt; in your SPF= The DNS query mechanism/modifier is reserved in 10

But I can’t. There are a lot of things in my SPF record

As far as I know – almost every company now outsources basic services to third-party service providers, such as e-mail delivery, marketing, etc. Add a limit of 1 for each service in the record. If they further include DNS query mechanism/modifier, it will soon reach/exceed the limit

SPF record flattening

But there is a simple solution to this problem. By “flattening” SPF records, the number of DNS query mechanisms/modifiers can be reduced to 1, far below the limit

This is the working principle of “SPF record flattening”: for each DNS query mechanism/modifier, query DNS to get the IP address, and then replace the original mechanism/modifier with the IP address. After replacing all such mechanisms/modifiers, the total count becomes 1 – only the topmost SPF records need DNS query

With this SPF record flattening technique, you can convert very complex SPF records with more than 10 DNS query mechanisms/modifiers into a “flat” IP address list and stay comfortable in the “safe zone”

Let’s see what a flat SPF record looks like. Here are the IP addresses for flattening SPF records on microsoft.com:

As you can see, this flat SPF record contains the same IP address as the original SPF record on microsoft.com, but it has no DNS query mechanism/modifier

Is the problem solved?Well, not yet

What if one of the IP addresses containing the mechanism changes?This means that flat SPF records are now out of sync on these IP addresses, which will produce incorrect results in SPF authentication

Of course, you can manually compress the SPF record again and update it in DNS. Needless to say, it’s cumbersome and error prone, not to mention that you have to monitor it all the time

The good news is that dmarcly has a feature called “safe SPF”, which is specifically designed to solve this problem

use safe SPF to solve this problem

Using safe SPF, kill two birds with one stone: always keep the DNS query mechanism/modifier of SPF record to 1, and don’t worry about manually flattening SPF record and updating it in DNS

This is safe SPF:

As can be seen from the above, the security SPF is activated on the specified domain

After activating secure SPF on domain:

The security SPF record contains the same IP address as the original SPF record

The security SPF record has no DNS query mechanism/modifier

When the underlying IP address changes, it is always updated

You don’t have to maintain it manually

This article is translated from SPF permerror: too many DNS lookups. When SPF record exceeds 10 DNS lookup limit