SPF Void Lookups
by
Reading Time: 3 min
The SPF void lookup limit as specified by RFC is currently 2. You can find this specification under RFC 7208 (section 11.1) that puts a limit on the number of SPF void lookups allowed per SPF check. If you’re here reading this article, chances are you have come across the following error message while handling the protocol or reviewing the DMARC report data for your emails:
Key Takeaways
- The SPF void lookup limit is set to a maximum of 2 to help prevent Denial-of-Service attacks.
- An SPF void lookup occurs when a DNS lookup returns a null response during SPF authentication checks.
- Exceeding the SPF void lookup limit results in an SPF PermError, which can lead to email delivery failures.
- Regularly update IP addresses and mechanisms of email sending sources to avoid redundant or erroneous inclusions in SPF records.
- SPF flattening can optimize records by consolidating them, reducing the risk of hitting the lookup limit.
PermError SPF Permanent Error: Void lookup limit of 2 exceeded
To understand this better, let’s talk about what SPF void lookups are:
What is an SPF Void Lookup?
When a DNS lookup returns a void or null response while performing an SPF authentication check, it is termed an SPF void lookup. Not to be confused with the 10 DNS lookup limit, SPF void lookups are a separate category of error response that you may come across while handling SPF, altogether.
Why does this happen you may ask? If your SPF record contains an include mechanism that refers to an erroneous or malicious domain or IP address, that when looked up may return an empty or null response (NOERROR with no answers, or NXDOMAIN). RFC recommends the limitation of SPF void lookups like these to a maximum of 2 to prevent erroneous SPF records from becoming contributing factors in the initiation of Denial-of-Service attacks.
However, exceeding the SPF void lookup limit will lead to SPF PermError, resulting in SPF fail and therefore the possibility of your emails failing delivery.
Simplify Security with PowerDMARC!
How can you go around the SPF void lookups limit?
There are various fool-proof methods and practices you can implement to ensure that you don’t exceed the SPF void lookup limit of 2.
- Stay updated on your email sending sources’ and third-party vendors’ IP addresses and mechanisms to make sure you don’t have any redundant or erroneous inclusions in your record for them.
- Switch to SPF flattening with PowerSPF to keep your record optimized and up-to-date with a single click, without the need for constant monitoring or manual updates.
Hope this article helped you get a better understanding of the SPF void lookup limit and how it impacts your email flow and authentication results. To get advanced protection against spoofing, consider implementing DMARC for your domains for free!
Domain & Email Security Expert at PowerDMARC
Yunes is an Operations Team Lead at PowerDMARC with expert knowledge in email authentication and security. Yunes is a Microsoft-certified Azure Administrator Associate with certifications in CompTIA A+ and many more.
Latest posts by Yunes Tarada (see all)
- Email Salting Attacks: How Hidden Text Bypasses Security - February 26, 2025
- SPF flattening: What is it and why do you need it? - February 26, 2025
- DMARC vs DKIM: Key Differences & How They Work Together - February 16, 2025
