The SPF void lookup limit as specified by RFC is currently 2. You can find this specification under RFC 7208 (section 11.1) that puts a limit on the number of SPF void lookups allowed per SPF check. If you’re here reading this article, chances are you have come across the following error message while handling the protocol or reviewing the DMARC report data for your emails:
PermError SPF Permanent Error: Void lookup limit of 2 exceeded
To understand this better, let’s talk about what SPF void lookups are:
What is an SPF Void Lookup?
When a DNS lookup returns a void or null response while performing an SPF authentication check, it is termed an SPF void lookup. Not to be confused with the 10 DNS lookup limit, SPF void lookups are a separate category of error response that you may come across while handling SPF, altogether.
Why does this happen you may ask? If your SPF record contains an include mechanism that refers to an erroneous or malicious domain or IP address, that when looked up may return an empty or null response (NOERROR with no answers, or NXDOMAIN). RFC recommends the limitation of SPF void lookups like these to a maximum of 2 to prevent erroneous SPF records from becoming contributing factors in the initiation of Denial-of-Service attacks.
However, exceeding the SPF void lookup limit will lead to SPF PermError, resulting in SPF fail and therefore the possibility of your emails failing delivery.
How can you go around the SPF void lookups limit?
There are various fool-proof methods and practices you can implement to ensure that you don’t exceed the SPF void lookup limit of 2.
- Stay updated on your email sending sources’ and third-party vendors’ IP addresses and mechanisms to make sure you don’t have any redundant or erroneous inclusions in your record for them.
- Switch to SPF flattening with PowerSPF to keep your record optimized and up-to-date with a single click, without the need for constant monitoring or manual updates.
Hope this article helped you get a better understanding of the SPF void lookup limit and how it impacts your email flow and authentication results. To get advanced protection against spoofing, consider implementing DMARC for your domains for free!