1

I'm having a problem with my SPF. Looking in mxtoolbox.com for my SPF record, I get the error Too many included lookups. I should have to remove some of my 'include' options or try to flatten some of them, but it seems not very easy to maintain. Here is my SPF record:

v=spf1 a:mail.example.com ip4:192.0.2.12 ip4:192.0.2.13 include:no-ip.com include:_spf.google.com include:spf-1.xmailer.com.br ~all

So the point is, I don't know if I can remove some of my 'include' options. The last one xmailer, I already know that I can't remove, but the no-ip and google I'm not sure about. Here we don't use Google Workspace, we only use Gmail for sending and receiving emails. And about No-IP, it's because we have two different addresses that people send emails from, but we can also send emails from other IP addresses, so it seems that No-IP isn't necessary to send emails.

Can you help me? I'll keep searching for something that I can do.

2
  • 3
    I don't know if I can remove some of my 'include' options" - Unfortunately, we certainly can't know either. -+- When people send e-mail, you typically instruct them to authenticate and use your mail server (which is already included in your SPF record) to send their emails. Your SPF does not need to include and allow whatever IP-addresses your people use to access your mail server. Commented 2 days ago
  • "we can also send emails from other IP addresses". What is relevant is where the target server receives the e-mail from, not the IP of your e-mail client. Your e-mail client should talk to one of your servers, and then those servers will talk to the target server. Only those servers need to be included in your SPF. Commented 6 hours ago

2 Answers 2

6

DNS lookup constraint and scope of analysis

The Too many included lookups error is caused by the DNS Lookup Limits defined in RFC 7208, 4.6.4:

The following terms cause DNS queries: the include, a, mx, ptr, and exists mechanisms, and the "redirect" modifier. SPF implementations MUST limit the total number of those terms to 10 during SPF evaluation, to avoid unreasonable load on the DNS.

While we cannot determine whether any of your include mechanisms can be removed or simplified – since only you know which email infrastructure sends messages using your domain in the envelope sender – we can help evaluate what causes the additional DNS lookups and by how much the limit is exceeded.

SPF evaluation analysis

The evaluation of your SPF policy currently triggers twelve DNS queries:

# SPF mechanism DNS query
1 initial example.com. IN TXT
"v=spf1 a:mail.example.com. ... include:no-ip.com include:_spf.google.com include:spf-1.xmailer.com.br ~all"
2 a:mail.example.com mail.example.com. IN A 198.51.100.0
3 include:no-ip.com
(from #1)
no-ip.com. IN TXT
"v=spf1 ... include:_spf.hostedemail.com ... include:sendgrid.net include:mail.zendesk.com -all"
4 include:_spf.hostedemail.com
(from #3)
_spf.hostedemail.com. IN TXT
"v=spf1 ... ~all"
5 include:sendgrid.net
(from #3)
sendgrid.net. IN TXT
"v=spf1 ... include:ab.sendgrid.net ~all"
6 include:ab.sendgrid.net
(from #5)
ab.sendgrid.net. IN TXT
"v=spf1 ... ~all"
7 include:mail.zendesk.com
(from #3)
mail.zendesk.com. IN TXT
"v=spf1 ... ~all"
8 include:_spf.google.com
(from #1)
_spf.google.com. IN TXT
"v=spf1 ... ~all"
9 include:spf-1.xmailer.com.br
(from #1)
spf-1.xmailer.com.br. IN TXT
"v=spf1 include:spf-xm1.xmailer.com.br include:spf-ll.xmailer.com.br -all"
10 include:spf-xm1.xmailer.com.br
(from #9)
spf-xm1.xmailer.com.br. IN TXT
"v=spf1 ... ~all"
11 include:spf-ll.xmailer.com.br
(from #9)
spf-ll.xmailer.com.br. IN TXT
"v=spf1 ... include:spf-ll2.xmailer.com.br -all"
12 include:spf-ll2.xmailer.com.br
(from #11)
spf-ll2.xmailer.com.br. 279 IN TXT "v=spf1 ... -all"

(For brevity, ip4 and ip6 mechanisms have been replaced with ..., as they do not trigger additional DNS queries.)

Or a tree view:

  • initial
    • a:mail.example.com
    • include:no-ip.com
      • include:_spf.hostedemail.com
      • include:sendgrid.net
        • include:ab.sendgrid.net
      • include:mail.zendesk.com
    • include:_spf.google.com
    • include:spf-1.xmailer.com.br
      • include:spf-xm1.xmailer.com.br
      • include:spf-ll.xmailer.com.br
        • include:spf-ll2.xmailer.com.br

Conclusions and recommendations

Your SPF record exceeds the DNS lookup limit by two queries. The main contributors to the excess lookups are the long SPF include chains used by no-ip.com and spf-1.xmailer.com.br. Fully flattening the SPF record is generally not practical to maintain. However, if neither of these includes can be removed, minimal changes could still reduce the number of DNS queries below 10.

  • Replace a:mail.example.com with explicit ip4/ip6 mechanisms. If an existing ip4 entry already covers the mail server, the a mechanism is redundant and can be removed.
  • spf-1.xmailer.com.br contains only include mechanisms, which can be referenced directly as include:spf-xm1.xmailer.com.br and include:spf-ll.xmailer.com.br.

These changes reduce the number of DNS lookups by two, bringing the configuration to the limit threshold. However, any additional include will cause the limit to be exceeded again. This is most likely to occur within third-party SPF include chains already subject to these sorts of practices. As an additional recommendation, review the no-ip.com dependency in particular to determine whether all included services are actually required – for example, whether only specific providers such as sendgrid.net or zendesk.com are in use.

6
  • You're amazing, thanks for the comment. It really helped me to better understand the situation. I have one question about no-ip use. For example, I have it set in my house to log in server and send emails, I still can send emails out of my house, but I can't do a ssh in server. In this case, I don't need an include statement in SPF, right? I have the no-ip include for this reason, but it doesn't seem to be needed. Commented yesterday
  • 1
    If your no-ip.com usage is limited to dynamic DNS (for example, to reach your home server via SSH) and no mail is being sent through infrastructure operated by no-ip.com, then that include is likely unnecessary. Their SPF record applies only to their email infrastructure and will not authorize IP addresses registered with their dynamic DNS services. This therefore appears to be a candidate for removal. Commented yesterday
  • 1
    Dynamic IP addresses generally should not be used directly for sending email. If your home server sends mail, it should normally relay either through your own properly configured mail server with a static IP address or through an external mail provider, and only that infrastructure needs to be authorized in SPF. Commented yesterday
  • I am glad the answer helped you better understand the situation. That was also the intent behind focusing on general concepts rather than provider-specific details, aiming to explain the underlying principles instead of only providing a one-off fix. The goal was to provide an analysis method that you can apply to your own infrastructure, and that others encountering similar SPF lookup issues can apply to their own use cases. Commented yesterday
  • Concur - 10 is the hard limit on a lot of systems, and other domain names wildly ignore it. Toyota.com was famous for having 18 for a long time, but now theirs is down to 6, each of which is a long string of IP blocks with no further lookups. Commented 19 hours ago
1

The no-ip include content looks suspicious Why are they giving sendgrid and zendesk permission to send on your behalf?

If no-ip are not providing your domain with sendgrid or zendesk services,
just move the no-ip include to the end and ignore their stupidity.

These last two includes will be over the limit, but that won't matter because compliant SPF checkers will just stop after 10 lookups, ignoring those unwanted entries.

1
  • I would probably not "move it to the end" but remove it altogether, as this will become a troubleshooting nightmare. Commented 6 hours ago

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.