Skip to content
Open Ticket
  • There are no suggestions because the search field is empty.

Are there any limitations to SPF?

Yes, there are a few limitations to SPF which are:

1.  SPF only applies to the domain in the email's 5321.MailFrom or Return-Path address domain field, and not to the visible From: address that everyone sees first in their Mailbox User Agents (MUA). This means that an attacker could still send a spoofed email from a server that is authorized for the domain in 5321.MailFrom or Return-Path address (name@hacker.com) while changing the visible From: address to match the actual organization (name@company.com).

2.  Forwarding Issues: When an email is forwarded, the return path address changes leading to SPF failure.

3.  10 DNS lookup limitation: SPF has a 10 DNS lookup limitation which can limit the complexity and flexibility of the SPF Record. However, we do have a solution for this which we provide the EasySPF solution. It’s a dynamic platform that flattens the includes into IP addresses so that you’ll avoid exceeding the 10 DNS lookup limitation and in addition to that, going forward, you can also manage your SPF record directly from the platform rather than the DNS zone.

What should I do if I'm exceeding the 10 DNS lookup limit with EasySPF?

Even with EasySPF, there are a few common reasons your domain might still be exceeding the SPF lookup limit:

  1. Indirect Includes: Although EasySPF consolidates IPs, any included domain’s SPF record (like Mimecast) may have nested includes. These indirectly add up to multiple lookups if, for instance, you’re including large services with complex, multi-level SPF records.
  2. Multiple Providers: If your domain’s SPF setup involves multiple email service providers (e.g., Microsoft 365, Google Workspace, and a dedicated marketing platform), each can add to the overall lookup count. EasySPF may not reduce lookups enough if there are many providers and each has large SPF records themselves.
  3. Duplicative or Redundant Includes: If you’re including the same provider multiple times (e.g. having include:mimecast.com in more than one place), this can unnecessarily increase the lookup count. 
  4. Changes in External SPF Records: External providers may change their SPF setup, which could unexpectedly increase your lookup count. Checking the SPF records of third-party services you include can reveal unexpected changes.

To troubleshoot, you could use SPF validators to see which specific parts are contributing to the lookup count. EasySPF includes a valuable feature that displays the volume associated with each inclusion. This functionality enhances your SPF hygiene by allowing you to easily identify unused sources. You can choose to either toggle this feature off or completely remove the source from your configuration.

 

Recognizing these limitations aids in more effectively managing and configuring SPF records to maintain optimal email delivery and security.