Workarounds for maximum DNS-Interactive terms limit exceeded in SPF record

domain-name-systemspf

As a hosting provider, we send email on behalf of our clients, so we help them set up DKIM and SPF email records in their DNS to get email deliverability just right. We've been advising them to use http://mail-tester.com to test that they didn't miss anything, and I like this tool a lot.

One problem we've run into a few times, and I'm not sure about, is the DNS "limit" on the SPF record based on domain name. So if you have this:

v=spf1 a include:aspmx.googlemail.com include:campaignmonitor.com include:authsmtp.com include:mail.zendesk.com include:salesforce.com include:_hostedspf.discourse.org ~all

You'll get

example.com ... campaignmonitor.com: Maximum DNS-interactive term limit (10) exceeded

Like so:

mail-tester results

I have some questions about this.

  1. I count six domain names here, not 10, so why is it hitting "ten" DNS requests here? Answered here

  2. Is this 10 DNS interactive term limit a warning or a real error? e.g. should we care? It is nagging our customers a bit and they email us for support. Answered here

  3. Is this 10 DNS interactive term limit a real problem on today's web? As you can see, this customer has a lot of services sending email for them and they are all legitimate. Perhaps this DNS limit was set in the year 2000 when delegating email services like this were not common?

Yes, we can have our customers change the include to IPs in the SPF record but that puts us in a bind if we ever change IPs, a bunch of customers' stuff will break. Really don't want to do that..

What workarounds are there for this?

Best Answer

  1. Mostly already answered, please do note including Google this way is wrong - you want to use _spf.google.com or incur a penalty for the redirect:

     ○ → host -t txt aspmx.googlemail.com
 aspmx.googlemail.com descriptive text "v=spf1 redirect=_spf.google.com"

 ○ → host -t txt _spf.google.com
 _spf.google.com descriptive text "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"

That lookup will consume 5/10 all on its own - 4/10 still sucks but 20% less.

  1. It will stop processing and return a permanent error - it's up to the engine using the SPF to decide how it wants to treat a permanent error.

  2. Yes - without the processing limits SPF mechanisms could be used as a DoS amplifier against a third party or second party.

As a workaround, emails can come from a subdomain of the main property - community.largecorporation.com for instance.

Related Topic