SPF Permerror – What Does it Mean to Have This DNS Inconsistency?

DNS

A common error “SPF PermError: too many DNS lookups” which is seen in numerous Sender Policy Framework implementations. There are a few safeguards which are put into place with SPF. One of these has a limitation on DNS lookups to help ensure there are no timeouts. 

In this article, we will talk about what the SPF too many DNS lookups is, and what problems an SPF error like SPF Permerror can affect your email deliverability.

Before Jumping in, Let’s Talk About What an SPF is

A Sender Policy Framework or an SPF is an email authentication method which is designed to detect if a sender address is forged or not during the delivery of an email. In combination with DMARC, an SPF can be used to detect forging of sender emails to avoid phishing and email spamming.

An SPF will allow an email server to check if the mail which is coming from a specific domain is submitted by an IP address which is authorized by the domain’s admins. A list of authorized senders is published of authorized senders and IP addresses for a domain in the DNS record of that domain. 

Section 10.1, “Processing Limits” of the SPF RFC states the following regarding DNS lookups:

A Permerror must be returned if there are more than 10 DNS lookups which includes the “include” mechanism and the “redirect” modifier. The “include”, “mx”, “ptr”, “a” and “exists” mechanisms and the “redirect” modifier are counted against this limit. The “ip4”, “ip6” and “all” mechanisms do not require a DNS lookup and won’t count against the limit. Also, the “exp” modifier won’t count against this limit as the DNS lookup as the explanation string comes after the SPF record is assessed. These DNS limits are put into place to prevent SPF lookups for use in Denial of Service Attacks.

What will happen if the SPF DNS lookup limit is exceeded?

When the SPF on the receiving mail server finds more than 10 DNS-query modifiers or mechanisms in the DNS record of the sender’s domain, then an “SPF PermError: too many DNS lookups” will pop up. An SPF Permerror is marked as a fail by DMARC and the email will not even land in the inbox if the email server does not permit it.

This is why you need to keep your 10 DNS-query modifiers or mechanisms lower than 10 so you do not exceed DNS lookup limit.

But, what will you do if you have too much stuff in your SPF record? These days, almost every organization takes help from third party email service providers. If you put an “include” for each of the services in the record then it will count 1 against the 10 limit. If these have the 10 DNS-query modifiers or mechanisms, your limit will be reached very soon. 

Many ESP’s like Gmail send these emails which are unauthenticated to spam by default. Office 365 takes it even further and blocks these email sender domains if they are unauthorized. You can use many third party SPF flattening services such as easy SPF, Dmarcian, etc.that will help you get around the DNS lookup limits.  

Lastly

Errors in SPF authentication can be a big issue which can lead to problems in business communication. SPF temperror and SPF permerror are some issues that you need to resolve immediately which will help you have better email deliverability and SPF authentication.

%d bloggers like this: