email bounce error 'SPF Permanent Error: Too many DNS lookups'
Anyone experience this and have a solution? Thank you in advance.
4 Replies
An SPF record is mis-configured. See:
https://wordtothewise.com/2013/07/spf-fail-too-many-dns-lookups/
If the report was about your Linode, you need to fix this with the DNS Manager. My (working) SPF record looks like this:
v=spf1 a mx a -all
Here's how to decode it: https://www.zytrax.com/books/dns/ch9/spf.html
If the report is about another domain, all you can do is beg the sysadmin there to fix it.
-- sw
SPF records are limited to 10 DNS lookups - I've seen this same error from Gmail.
For example: "a:some.host.com" in an SPF record results in a lookup for the IP address of "some.host.com" - that's 1 DNS lookup.
Including other SPF records (include:some.domain.com) is another source of DNS lookups.
Check your SPF record and see how many parameters would result in DNS lookups, and substitute IP addresses where possible.
@ph0tmd5, to mitigate Denial-of-Service (DoS) attacks, SPF implements the 10-DNS-lookup limit.
When the SPF implementation on the receiving email server encounters more than 10 DNS-querying mechanisms/modifiers in the sender's domain's SPF record, it returns "SPF PermError: too many DNS lookups".
Since an SPF PermError is interpreted by DMARC as fail, and consequently, the email might not land in the inbox, depending on the email server's settings.
Therefore, your best bet is to keep the DNS-querying mechanisms/modifiers in your SPF record <= 10.
You can use a tool like DMARCLY's Safe SPF (https://dmarcly.com/safe-spf) to automatically/dynamically flatten your SPF record so that the DNS lookup count stays below 10.