When that happens, the receiver may stop getting the emails intended for them.

This will be considered as a single DNS lookup.

Each of these is counted as a DNS lookup.

SPF PermError Too Many DNS Lookups When SPF Record Exceeds 10 DNS Lookup Limit

Now, take the same concept and apply it to an SPF lookup.

If this number is exceeded during a check, a PermError MUST be returned.

This explains why the PermError too many DNS lookups error occurs.

SPF DNS lookup exceeds 10 counts

SPF DNS lookup exceeds 10 counts

But what is the reason for this 10-SPF-lookup rule?

A maximum of 10 SPF DNS lookup queries are allowed per SPF record.

This rule has been implemented to tackleDOS attacks.

IMAP POP3 And SMTP Settings For All Major Email Service Providers

Therefore, limiting the amount of DNS lookups helps to reduce the risk of such DOS attacks.

However, before you do, you must understand how the SPF lookup counter works.

As discussed earlier in this post, certain mechanisms inside the SPF record perform additional DNS lookups.

How To Set Up SPF DKIM DMARC Records For MailChimp With External Domain

Therefore, it counts as a DNS lookup query.

The same logic applies to the rest of the mechanisms that count as 1 additional DNS lookup.

That said, an include mechanism can count as more than one additional DNS lookup.

Download Windows 11 IoT Enterprise LTSC ISO

The include mechanism defines the SPF records of the declared domain as its own.

This is known asnestedinclude.

However, it only goes till this tier.

Startup folder in all versions of Windows

If each of those domains further had include mechanisms,they would not be considered, or counted.

This means removing the mechanisms that are counted as a DNS lookup query, which we have discussed above.

This also applies to the redundant domains that exist within an SPF record.

Download Windows 11 Version 24H2

If more than one SPf mechanism is pointing toward the same domain, you could simply eliminate it.

Therefore, consider those as well.

To overcome this obstacle, there are several approaches it’s possible for you to take.

Here is an example of the concept.

However, this method is not always feasible as it has its downside.

However, this wouldnt entirely solve your problem.

You see, while one problem would be solved, another will rise in its place.

If even a single IP address for a domain is changed, your whole SPF record will become invalid.

Moreover, updating such an SPF record would become a nightmare.

While SPF record flattening is a great way to overcome the DNS counts, it might not always work.

This approach is usually wrong because that IP address is the domains web host IP address.

While this can sometimes be a legitimate use, it is not normal.

Include active domains only

Some domains might have become inactive over the years.

verify to only include the active domains in the include mechanism and delete the rest.

By active domains, I mean the domains that are regularly sending emails on your domains behalf.

Therefore, all servers must exercise the default limit for an SPF DNS lookup, which is 10.

0

Get weekly insights, tips and exclusive content delivered straight to your inbox.

Talk to us straight and get your questions answered right away

source: www.itechtics.com