SPF Limits and SPF Merging

Mehul Kumar

1/9/24, 4:54 PM

I am using Zoho Mail, AWS SES, GMAIL SMTP, Cloudflare email route and Yahoo SMTP. they all have there own SPF record. i saw on Google the only 1 SPF should be added in hostname and maximum 10 SPF hostname is supported in 1 SPF record.

I am trying to merge and which is the correct one?

v=spf1 include:_spf.mx.cloudflare.net include:zoho.in include:_spf.google.com include:_spf.mail.yahoo.com ~all

v=spf1 a mx include:_spf.mx.cloudflare.net include:zoho.in include:_spf.google.com include:_spf.mail.yahoo.com ~all

v=spf1 a mx include:_spf.mx.cloudflare.net include:zoho.in include:_spf.google.com include:_spf.mail.yahoo.com -all

Errors i am getting when i am testing with mail-tester.com.

Error 1 : Maximum DNS-interactive terms limit (10) exceeded

Error 2 : example.com: Sender is not authorized by default to use '[email protected]' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)

105

0 + 6

email-server

spf

email-bounces

mx-record

Paul

1/9/24, 9:37 PM

Which record are you using to generate the report? Also, the last two of the three are identical.

Mehul Kumar

1/10/24, 4:31 AM

@Paul `mail-tester.com` for testing the mail and errors. and all 3 records are different.

Reinto

1/10/24, 10:56 AM

You probably don't need the `A` and `MX` mechanisms, unless you have a mail server that uses the same IP address for Sending and Receiving. Those mechanisms usually come from examples ESPs use. Wether to use `soft fail` (`~all`) or `fail` (`-all`) in the catch all is a personal choice. If you rely on DMARC, I'd suggest to use `~all`, to not junk forwarded emails failing SPF.

Reinto

1/10/24, 11:02 AM

As for the 10-lookup-limit, you could consider using subdomains for authenticating SPF. i.e. many services allow you to send from [email protected], while setting the bounce address (`Return-Path` header) to [email protected], on which the SPF check is done.

Paul

1/10/24, 1:08 PM

The first record has two more DNS lookups than the other two. The DNS lookups for the last two are identical. Changing the mechanisms does nothing to change DNS lookups.

Reinto

1/18/24, 3:20 PM

@Paul Well, the question is about merging as well as about limits (errors). I imagine service A includes in their example `v=spf1 A MX include:_spf.serviceA.com -all`, while Service B includes in their example `v=spf1 MX include:_spf.ServiceB.com ~all` and Service C includes in their example `v=spf1 include:_spf.serviceC.com ~all`.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: SPF Limits and SPF Merging

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.