Results PermError SPF Permanent Error:
I recently noticed I was having new email deliverability issues. It surprised me since things had been going well since switching to AuthSMTP for our outgoing mail.So I checked my SPF record. It looked like this: v=spf1 a mx include:aspmx.googlemail.com include:authsmtp.com include:mxlookups.com -all
At first glance everything seems okay. Basically it says to include all A records, MX records, and to include the SPF records provided by Google Apps, AuthSMTP and mxlookups. Since that covers every legit sender, I ended it off with the -all which indicates a hard fail. Ok, so the syntax is right. You can’t tell that anything is wrong without looking furtherr. When you actually try to evaluate it you’ll get this error message:
Results PermError SPF Permanent Error: Too many DNS lookups
After a little research I found out that you are only allowed 10 DNS lookups and fetching the TXT and SPF records count toward that total. That means after you add in the A and MX lookups, we’re at 7 before we even look inside the includes. Let’s pull up the SPF record for Google Apps: v=spf1 redirect=_spf.google.com
That redirect counts as another DNS lookup. That puts me up to 8 DNS lookups. Thankfully the Salesforce SPF record is nice and clean: v=spf1 ip4:184.108.40.206/25 ip4:220.127.116.11/25 ip4:18.104.22.168 ip4:22.214.171.124/20 ip4:126.96.36.199/20 mx ~all
That leaves AuthSMTP: v=spf1 include:spf-a.authsmtp.com include:spf-b.authsmtp.com include:spf-c.authsmtp.com include:spf-d.authsmtp.com ~all
Ouch! That’s 4 more lookups and the worst part of it is that spf-d.authsmtp.com doesn’t even do anything!
The first thing I did was take out the MX lookup since it’s redundant. I also replaced aspmx.googlemail.com with _spf.google.com which is what it redirects to anyway. Technically, this isn’t a good idea since Google could change it on me but remember I don’t have a lot of options here. I’m just happy to see my revised record pass the test: v=spf1 a include:_spf.google.com include:authsmtp.com include:salesforce.com -all
I also sent an email to the AuthSMTP team. They responded within 30 minutes saying that they would remove the extra DNS record and look at how they can clean things up.
I learned something tonight. Remember to count the DNS lookups in your SPF record. It turns out they can add up faster than points on a teenagers drivers license. And if you’re using a lot of includes like I am, remember to do periodic checks to make sure nothing has changed.