SPF “too many lookups” error

If you’re reading this, you may have been directed here because you were told that your SPF record suffers from a “too many lookups” error.

The specifications for the SPF record limit the number of lookups (such as, translating a name to an IP address) to 10.

How do you know if your SPF record has this issue? Go to this site, enter your domain name, and then click the “Get SPF Record (if any)” button.

An SPF record like what is shown below will have the too many lookup errors.

v=spf1 a mx include:outlook.com include:jangomail.com -all

The output from the testing tool at kitterman.com shows:

Input accepted, querying now…
evaluating v=spf1 a mx include:outlook.com include:jangomail.com -all …
Results – PermError SPF Permanent Error: Too many DNS lookups

Outlook.com by itself eats up 10 lookups, effectively blocking any other entries such as a, mx, and any other includes. The entries in the SPF record that contribute to a lookup include a, mx, ptr, and include.

What counts for a lookup?

The following mechanisms/modifiers count towards the limit: a, mx, ptr, include, redirect, and exists. These items do not count: all, an IP4 address, and an IP6 address. You should avoid using the ptr mechanism. See here for more information on SPF record syntax.

How do you get around the too many lookups error?

1. Use a subdomain to send your email marketing messages. If your acme.com domain would go over the 10 lookups limit by including jangomail.com, then send using something like news.acme.com, “news” being whatever name you want, such as support, info, newsletter, or jm. You won’t be using this subdomain for anything other than sending through an email service provider, which greatly simplifies the SPF record you need.

In your DNS, after you’ve created a new subdomain, create a new TXT record. The “host” value will be the subdomain name (instead of @). The TXT value will be:

v=spf1 a mx include:jangomail.com -all

Note: you’ll also need a domain key for the subdomain. Go through the steps here, the exception being that your domain key will include the subdomain name. If I am using news as my subdomain, then the selector value can be jm (assuming you use jm, or use jangomail, or use whatever you’d like, keeping it to one word). The domain name entry to generate the key in JangoMail/JangoSMTP is your_subdomain_name.com (ex: news.acme.com). View the key and copy the long “k=rsa” string into your clipboard.

When you go into your DNS settings to create the new TXT record, the host value will be jm._domainkey.news. Paste in the string you just copied. You cannot re-use the parent value “k=rsa” string with the subdomain; it has to be its own new/unique value.

Note: if you use a subdomain, don’t forget to include an inbox for the FROM address you’re using. You can have replies to that address forwarded elsewhere (using our branded subdomain setup/feature) so you don’t have to monitor it, or you can just use a REPLY-TO address in your message. Replies normally go to the FROM address. If you have a REPLY-TO address, then that is where replies will go – usually. When someone sends back an out of office reply, that can either go to the FROM or the REPLY-TO address; there is no enforced email standard as to where those should be directed.

2. We can create a custom SPF record for you (contact Support to have this done). This is particularly useful if you are an agency type of user sending on behalf of multiple clients. You can have your clients include your domain name, and then have your domain name point back to either jangomail.com (that does not solve the too many lookups error, or it may cause it in the first place because now there is an extra one, but this is an option for you otherwise as an agency type of sender), or to use a custom SPF record JangoMail creates in our DNS. By using a custom SPF record (e.g., spf27.jangomail.com) that includes your dedicated IP address (or addresses), you minimize the number of changes that have to be made downstream for you clients.

If your IP needs to change (blacklisting, adding a new one, a change in our provider source, etc.), all we have to do is update the IP address on our end. The “name” reference/pointer to the custom SPF record stays in place.

3. If your IP address range falls within one or two of our spf-whatever ranges, just use that instead of jangomail.com. See the list below (and contact Support so we can put a note into your account that you are using spf-a.jangomail.com.

4. Enter what you need via IP address. If you’re using outlook.com in your SPF record, *everything* you enter must be via IP address because of how many lookups outlook.com takes up. If you are using a dedicated IP address with us, you can enter it as ip4:xxx.yyy.zzz.bbb (ex: ip4:123.208.173.222 – this is not an IP address we use; it’s just a numerical example). If you have more than one IP address with us, enter both of them ip4:the_first_address ip4:the_second_address, and so on.

You can use the full translation of “jangomail.com,” but there is no guarantee that the IPs we use will always be the same. The “jangomail.com” domain uses an SPF record of:

v=spf1 include:spf-a.jangomail.com include:spf-b.jangomail.com include:spf-c.jangomail.com include:spf-d.jangomail.com -all

That’s 4 lookups after the initial one for jangomail.com. Individually, they resolve to (last updated 3/11/15):

spf-a.jangomail.com
v=spf1 ip4:209.173.141.0/24 ip4:206.222.22.0/24 ip4:204.15.130.0/24 ip4:174.37.66.0/24 ip4:208.101.3.28/30 ip4:208.75.249.0/24 ip4:74.63.238.208/29 ip4:74.63.225.232/29 -all

spf-b.jangomail.com
v=spf1 ip4:209.190.39.0/24 ip4:216.82.113.0/24 ip4:208.101.23.120/29 ip4:208.73.3.0/24 ip4:162.222.243.0/24 ip4:74.63.245.64/29 ip4:64.31.48.184/29 -all

spf-c.jangomail.com
v=spf1 ip4:208.75.253.0/24 ip4:66.240.245.0/24 ip4:74.63.249.48/29 ip4:69.41.161.33/32 ip4:173.244.184.128/25 ip4:69.162.121.0/24 ip4:64.31.13.16/29 ip4:64.31.12.248/29 -all

spf-d.jangomail.com
v=spf1 ip4:206.222.20.0/24 ip4:208.72.2.0/24 ip4:208.75.250.8/29 ip4:64.79.65.0/24 ip4:216.75.6.0/24 ip4:208.101.2.0/24 ip4:74.63.200.160/27 ip4:208.75.250.136/29 ip4:69.162.119.96/29 -all

Just for grins

What does outlook.com resolve to? Since you asked…

By itself, outlook.com is:

outlook.com
v=spf1 include:spf-a.outlook.com
include:spf-b.outlook.com
ip4:157.55.9.128/25
include:spfa.bigfish.com
include:spfb.bigfish.com
include:spfc.bigfish.com
include:spf-a.hotmail.com
include:_spf-ssg-b.microsoft.com
include:_spf-ssg-c.microsoft.com
~all

Each subsequent include is shown below.

spf-a.outlook.com
v=spf1 ip4:157.56.232.0/21
ip4:157.56.240.0/20
ip4:207.46.198.0/25
ip4:207.46.4.128/25
ip4:157.56.24.0/25
ip4:157.55.157.128/25
ip4:157.55.61.0/24
ip4:157.55.49.0/25
ip4:65.55.174.0/25
ip4:65.55.126.0/25
ip4:65.55.113.64/26
ip4:65.55.94.0/25
-all

spf-b.outlook.com
v=spf1 ip4:65.55.78.128/25
ip4:111.221.112.0/21
ip4:207.46.58.128/25
ip4:111.221.69.128/25
ip4:111.221.66.0/25
ip4:111.221.23.128/25
ip4:70.37.151.128/25
ip4:157.56.248.0/21
ip4:213.199.177.0/26
ip4:157.55.225.0/25
ip4:157.55.11.0/25
-all

spfa.bigfish.com
v=spf1 ptr:o365filtering.com
ptr:messaging.microsoft.com
ip4:157.55.116.128/26
ip4:157.55.133.0/24
ip4:157.55.234.0/24
ip4:157.56.120.0/25
ip4:207.46.100.0/24
ip4:207.46.108.0/25
ip4:207.46.163.0/24
ip4:134.170.140.0/24
-all

spfb.bigfish.com
v=spf1 ip4:207.46.51.64/26
ip4:213.199.154.0/24
ip4:216.32.180.0/23
ip4:65.55.83.128/27
ip4:65.55.169.0/24
ip4:65.55.88.0/24
ip4:131.107.0.0/16
ip4:134.170.132.0/24
ip4:157.56.208.0/23
ip4:157.56.210.0/23
-all

spfc.bigfish.com
v=spf1 ip6:2a01:111:f400:7c00::/54
ip6:2a01:111:f400:fc00::/54
ip4:157.55.40.32/27
ip4:157.56.123.0/27
ip4:157.56.91.0/27
ip4:157.55.206.0/23
ip4:157.56.116.0/25
ip4:157.56.108.0/24
ip4:157.56.112.0/24
ip4:157.56.110.0/23
-all

spf-a.hotmail.com
v=spf1 ip4:157.55.0.192/26
ip4:157.55.1.128/26
ip4:157.55.2.0/25
ip4:65.54.190.0/24
ip4:65.54.51.64/26
ip4:65.54.61.64/26
ip4:65.55.111.0/24
ip4:65.55.116.0/25
ip4:65.55.34.0/24
ip4:65.55.90.0/24
ip4:65.54.241.0/24
ip4:207.46.117.0/24
~all

_spf-ssg-b.microsoft.com
v=spf1 ip4:207.68.169.173/30
ip4:207.68.176.1/26
ip4:207.46.132.129/27
ip4:207.68.176.97/27
ip4:65.55.238.129/26
ip4:207.46.222.193/26
ip4:207.46.116.135/29
ip4:65.55.178.129/27
ip4:213.199.161.129/27
ip4:65.55.33.70/28
~all

_spf-ssg-c.microsoft.com
v=spf1 ip4:65.54.121.123/29
ip4:65.55.81.53/28
ip4:65.55.234.192/26
ip4:207.46.200.0/27
ip4:65.55.52.224/27
ip4:94.245.112.10/31
ip4:94.245.112.0/27
ip4:111.221.26.0/27
ip4:207.46.50.221/26
ip4:207.46.50.224
~all