SPF (Sender Policy Framework) is a standards-based component of today’s email infrastructure, enabling domain name owners to specify in DNS which systems are authorized to send email.

SPF, along with DKIM (DomainKeys Identified Mail), is a key component of DMARC (Domain-based Message Authentication, Reporting & Conformance). DMARC gives owners full control over who can email using their domains.

The SPF Ten Lookup Limit

For SPF to work correctly the DNS record must follow highly specific configuration rules. Errors are easily made and quite common, potentially reducing the delivery rate for authorized emails.

One common error involves SPF’s ten lookup limit. In evaluating a message’s authenticity, a receiving mail server may have to make one or more DNS lookups. The SPF specification limits these lookups to ten, meaning companies requiring more lookups risk quarantine or rejection of messages.

Recent proliferation of cloud services has greatly increased the number of DNS lookups required. Services with the legitimate need to send email using an organization’s domain name include:

  • Marketing automation
  • Bulk emailing
  • CRM
  • Recruiting and onboarding
  • Document signing
  • Customer support
  • Legal services
  • HR benefits platforms
  • And more

These services themselves each may require more than one DNS lookup for authentication, making it extremely easy for a thriving business to inescapably put itself beyond SPF’s ten lookup limit.

SPF Flattening Is Not the Answer

One attempted response to this limit is SPF record flattening. Flattening is when the domain owner replaces domain names in the SPF record with IP addresses or ranges of addresses. This technique can get around the lookup limit in the short term, but not sustainably for most companies.

That is because in the real world IP addresses change regularly. So flattened SPF can’t be a “set it and forget it” exercise. The domain owner must constantly monitor mail sending to discover any services that have stopped working.

And when that inevitably happens, it’s back to the error-prone editing of DNS entries by hand. Meanwhile every delay can mean important messages don’t reach their destinations.

Introducing Targeted SPF

ValiMail has solved these problems with patent-pending Targeted SPF™. This first-of-its-kind service:

  • Enables service authorization and de-authorization with one-click ease
  • Makes the ten lookup limit irrelevant, allowing any number of supported services on a single domain
  • Eliminates errors from tricky DNS editing and the lack of DNS validation mechanisms
  • Removes the need to know underlying technical details for every service you use
  • Works with any existing mail service or ISP
  • Requires no additional coordination with email service providers

Targeted SPF accomplishes these feats through SPF macros, a fundamental SPF component in place since the standard’s inception. The macro interface enables ValiMail to receive each inbound authentication request and dynamically return exactly the result necessary to authenticate that message, error free every time.