What is Safe SPF?

Safe SPF is a DMARCLY feature which allows 10+ DNS queries for your SPF validation.

When an email arrives at the receiving server and you have created an SPF record for the email domain, the server will issue DNS queries to resolve the SPF record in order to validate the incoming IP. To prevent DDoS (Distributed Denial of Serivce), however, the max number of DNS queries the server can issue for the email is 10. Therefore, if your SPF record requires more than 10 DNS queries to resolve, the server will return an error indicating there are too many DNS queries.

For example, if you send emails via Google, they might ask you to create an SPF record similar to this:

v=spf1 include:_spf.google.com ~all

In order to completely resolve such an SPF record, the receiving server needs to issue 4 DNS queries. If you also use other email services like SendGrid, etc., the total number of DNS queries can grow beyond 10 quickly. When #DNS queries grows over 10, SPF validation fails, which affects your email deliverability.

Some propose "flattening" the SPF record to circumvent this issue. That is, resolve the SPF record in advance, and update the SPF record with resolved value. This way, no DNS query is required for the flattened SPF record. However, there is one inherent drawback with this approach: if the underlying IP addresses change, SPF will fail until someone manually updates the SPF record.

Safe SPF offers a perfect solution to this issue. It completely obliterates the risk of running out of DNS queries, while requiring no further manual tuning once set up.

Do you find this article useful?