Contact Us

The Skysnag Blog


Avoid this SPF Mistake

October 11, 2023  |  2 min read

The SPF protocol employs ‘include mechanisms,’ which allow the domain owner to delegate specific authorization to another party. This is effectively a request to look for a list of allowed IP addresses that is kept up to date by someone else (the cloud provider). A domain owner might, for example, add the Google Workspace inclusion to their SPF record, federating the whitelisting of Google sending IPs to Google.

SPF limitations

These ‘include’ techniques, also known as SPF lookups are a crucial element of the SPF picture, but they have a protocol limitation: a domain can only have a total of 10 DNS lookups across all include mechanisms. This is to protect against a type of DDoS attack, but we won’t go into too much detail about it here.

One of the most prevalent types of SPF mistakes we find in the wild is exceeding the 10 lookup limit, and the overall impact for senders is almost definite authentication failure of any transmitting services mentioned after the 10th lookup. This can be disastrous for companies that rely on email to communicate with clients and other business partners.

What could go wrong?

Many people will utilize ten or more services, each of which will require one or more lookups, and in some cases, significantly more. The key is to stay under the 10-lookup restriction. Skysnag’s Genius SPF feature was developed to overcome the 10 SPF lookup limit.

Everyone makes mistakes

We utilize our technologies to look for and rectify this type of SPF mistake all over the internet.

This company’s SPF record contains 6 sending services, including well-known sending solutions for everyone in the business of B2B SaaS: Marketo, SendGrid, NetSuite, Salesforce, and so on. These services together resulted in a total of 10 SPF lookups. 

The SPF record was suddenly broken, necessitating 11 lookups. On the tree below, the lookups required by each sending service are shown in light blue adjacent to each service: 

In and of itself, this is a fair activity for a service provider to take, but the unintended consequences for their clients and supply chain can be significant and especially embarrassing for a company in this industry.

How to fix it

Because Dynamic SPF, as the name implies, dynamically compacts the SPF record to always be compatible with the SPF protocol, our users, many of whom also rely on NetSuite, would have suffered no impact in this instance. We provide you with a record that replaces all of your mechanisms with a single inclusion that dynamically joins all of your approved services at query time.

When an SPF mistake occurs, we provide even more resiliency by monitoring and healing using ‘last known good’ values for a policy (put simply: Dynamic SPF skips over the broken stuff). As a result, the rest of your email can continue to flow normally. When these problems are corrected, Dynamic SPF will automatically update the values without the need for user participation.’


Skysnag automates DMARC, SPF, and DKIM for you increasing email deliverability This saves you the trouble and time required for manual configuration. Avoid the SPF mistake right away and use Skysnag’s automated software to safeguard your domain’s reputation from compromised business emails, password theft, and potentially significant financial losses. Sign up using this link and monitor your email flow with Skysnag 

Check your domain’s DMARC security compliance

Enforce DMARC, SPF and DKIM in days - not months

Skysnag helps busy engineers enforce DMARC, responds to any misconfigurations for SPF or DKIM which increases email deliverability, and eliminates email spoofing and identity impersonation.