SPF Limitations

So you have yourself an spf record huh? It might not be working so well for you, as spf has a number of limitations for you to watch out for.

  1. The 10 DNS lookup limit. If your SPF record has anything in it that needs a DNS lookup (a, mx, include etc) if it returns more than 10 things, you record is basically broken/ignored.

So how do we fix it? Simple, we can use SPF Flattening. You could manually do this, ie.. go resolve all the ip’s yourself and put them in… But they will probably change.

Better to use an spf flattening service like “auto spf” . I’m not affiliated with them but have used them, good support etc… You put in your record, they will spit out something short for you to use. They do all the resolving on their end, so you end up with only a lookup or 2 (and get past the 10 limit) — All is well with your record then.

2. Issue #2: 255 character limit: The record limit is 255 characters. SPF flattening can help here too, and or using CIDR notation (ie.. /29 etc) when possible. You can also get past this by putting 2 strings (in quotes) in the TXT record. (“v=spf1 include:whatever.com” “include:whatever2.com”)

3. Going through multiple MTA’s can cause failures: If it goes through multiple mail servers, it may not get forwarded correctly, and it will look at the ip of the forwarding server and say “Hey this ip isn’t in the spf, spf failed here”

DKIM can fix this, because it puts a signature in the email, and that stays through the whole trip and can be validated (unless of course something changes it, like a link rewriter for example)

There are other potential issues. For example, SPF authenticates the “envelope sender” (aka Mail from address) , but not the display “From” address so people can spoof from addresses still.

All in all, SPF is important but you are going to need more. That is where DKIM and DMARC come in. We’ll have to look at DKIM soon.

Featured Image by Sammy-Sander from Pixabay

Leave a Comment