SPF includes and the 10 DNS lookup limit

I have an SPF include for WPMUDEV email in my DNS records. It looks like this:

v=spf1 include:yourwpsite.email ~all
Unfortunately because I also need Google SPF records (for my Google Workspace) my SPF record actually looks like this:

v=spf1 include:_spf.google.com include:yourwpsite.email ~all
Not a big deal, except that these two expand into 11 independent DNS lookups for SPF. The limit is 10, after which it starts to have a negative impact on SPF / DMARC. You can read more about it here.

So once my SPF record is expanded to cover all necessary lookups, it ends up looking like this:

capitalwebdesign.ca
	include:_spf.google.com
		include:_netblocks.google.com
			ip4:35.190.247.0/24
			ip4:64.233.160.0/19
			ip4:66.102.0.0/20
			ip4:66.249.80.0/20
			ip4:72.14.192.0/18
			ip4:74.125.0.0/16
			ip4:108.177.8.0/21
			ip4:173.194.0.0/16
			ip4:209.85.128.0/17
			ip4:216.58.192.0/19
			ip4:216.239.32.0/19
			~all
		include:_netblocks2.google.com
			ip6:2001:4860:4000::/36
			ip6:2404:6800:4000::/36
			ip6:2607:f8b0:4000::/36
			ip6:2800:3f0:4000::/36
			ip6:2a00:1450:4000::/36
			ip6:2c0f:fb50:4000::/36
			~all
		include:_netblocks3.google.com
			ip4:172.217.0.0/19
			ip4:172.217.32.0/20
			ip4:172.217.128.0/19
			ip4:172.217.160.0/20
			ip4:172.217.192.0/19
			ip4:172.253.56.0/21
			ip4:172.253.112.0/20
			ip4:108.177.96.0/19
			ip4:35.191.0.0/16
			ip4:130.211.0.0/22
			~all
	~all
include:yourwpsite.email	
	include:mailgun.org
		include:_spf.mailgun.org
			include:_spf1.mailgun.org
				ip4:209.61.151.0/24
				ip4:166.78.68.0/22
				ip4:198.61.254.0/23
				ip4:192.237.158.0/23
				ip4:23.253.182.0/23
				ip4:104.130.96.0/28
				ip4:146.20.113.0/24
				ip4:146.20.191.0/24
				ip4:159.135.224.0/20
				ip4:69.72.32.0/20
				~all
			include:_spf2.mailgun.org
				ip4:104.130.122.0/23
				ip4:146.20.112.0/26
				ip4:161.38.192.0/20
				ip4:143.55.224.0/21
				ip4:143.55.232.0/22
				ip4:159.112.240.0/20
				ip4:198.244.48.0/20
				ip4:204.220.168.0/21
				ip4:204.220.176.0/20
				~all
			~all
		include:_spf.eu.mailgun.org
			ip4:141.193.32.0/23
			ip4:159.135.140.80/29
			ip4:159.135.132.128/25
			ip4:161.38.204.0/22
			ip4:87.253.232.0/21
			ip4:185.189.236.0/22
			ip4:185.211.120.0/22
			ip4:185.250.236.0/22
			ip4:143.55.236.0/22
			ip4:198.244.60.0/22
			ip4:204.220.160.0/21
			~all
	-all
	include:relay.mailchannels.net
		ip4:23.83.208.0/20
		ip4:199.10.31.235/32
		ip4:199.10.31.236/31
		ip4:199.10.31.238/32
		ip4:35.85.190.185/32
		~all
	~all

Part of the problem is that the yourwpsite.email SPF has several nested includes for mailgun and mailchannels. This means that having an SPF record for yourwpsite.email costs 6 of 10 max DNS lookups. With the five that Google requires, I end up with 11 totaly lookup requests and I am now not conforming to SPF limits.

In order to fix my issue and drop to 10 lookups, I changed my SPF record from

v=spf1 include:_spf.google.com include:yourwpsite.email ~all
to

v=spf1 include:_spf.google.com include:mailgun.org include:relay.mailchannels.net ~all
Dropping the yourwpsite.email now gets me to 10 DNS queries instead of 11. Alternatively I could have done my own SPF flattening, whereby I take all of the IPs above and include them in my SPF record. This works because IPs don’t require DNS lookups. The problem with flattening like this is that if mailgun or mailchannels changes the IPs of their service, I would experience email outages. Not good.

Services such as SafeSPF exist to provide a solution to this problem: you provide them with your required SPF domains, they run the DNS queries to see which domains get inherited, then they take all those IPs and provide you with a single include (no nested records) that has all the IPs of the services you need. It then regularly checks to see if there has been any change of IPs from the downstream providers, and updates your single SPF record.

Here’s how you could help: WPMUDEV could (and hopefully you’ll agree you should) flatten yourwpsite.email SPF records for the benefit of their clients. Because you depend on mailgun and mailchannels, the yourwpsite.email SPF include “costs” 6 DNS lookups.

You could flatten the yourwpsite.email to a single lookup.

Build a solution similar to SafeSPF which regularly queries the inline SPF includes you require to run your services. Then, make the yourwpsite.email SPF record include all the IPs nested directly underneath.

This way, WPMUDEV users would simply need to have include:yourwpsite.email at the cost of 1 SPF DNS lookup.

Sat, 18 Jan 2025 17:41:37

Phil
- Look Up
- 4,042 pts: Hero points 7,142 pts: Rep. points LEVEL 25
Feel free to move this to the Feature Request forum: I had to post it here in the Member Forum because there is no text formatting option when posting to the Support Forum.
Alfredo Galano Loyola
- Staff
- 322 pts: Hero points 1,004 pts: Rep. points LEVEL 8
Hello Phil
I hope you are doing well today.

Thanks for bringing this to our attention. I will share it with our Hosting Support team to analyze it and check it further.

Best regards,
Alfredo

How do you rate me?

Thank you for rating your experience!