No one has responded to this discussion for at least a year, so this information may be out of date. If you're looking for information about this topic, please search for a more recent discussion or post a new question.

SPF record exceeding DNS Lookups

This question is not answered This question is not answered

Microsoft recommends adding the “include:outlook.com” in your SPF (TXT) DNS record, see the O365B tenant space | Domain Properties | DNS Settings. Doing this pushes us over the 10 DNS lookup limit for SPF records, see text below.
    Checking to see if there is a valid SPF record.

    Found v=spf1 record for mycompany.org:
    v=spf1 include:outlook.com include:messagelabs.com ~all

    evaluating...
    Results - PermError SPF Permanent Error: Too many DNS lookups

Outlook.com has an “include:” for hotmail.com and spf.messaging.microsoft.com
    Found v=spf1 record for outlook.com:
    v=spf1 include:hotmail.com include:spf.messaging.microsoft.com -all

Is there a Microsoft recommended and supported method to reduce the lookups related to Office 365?
 
 

 

1 out of 2 people found this post helpful.

All Replies
  • After adding Outlook.com to your SPF record you may received NDR or experience SPMA filtering issues sending mail to some third parties if you also have other entires in your SPF records that cause the number of DNS lookups to exceed 10. This depends on how the recipients handle the resulting Permanent Error when doing and SPF lookup on your domain.

    While you cannot exceed the 10 DNS lookups on an SPF record - you can work around this by using IP's in your SPF record instead of DNS names.

    This involves performing name lookups for the SPF records associated with outlook.com (with the hotmail includes) or other providers you have defined in your SPF record and listing them as IP in your record.

    You may be able to automate/script this process using DNSLINT command to resolve the spf records to IP's technet.microsoft.com/.../cc782978(WS.10).aspx and DNSCMD to update your SPF records

    Thanks

    Steven

    1 out of 1 people found this post helpful.

  • Hi,

    This seems exactly what I need but is it possible also with office365?

    We manage our DNS at go daddy.

    We get for dig TXT outlook.com

    "v=spf1 include:spf-a.outlook.com include:spf-b.outlook.com ip4:157.55.9.128/25 include:spfd.outlook.com include:spfe.outlook.com include:spff.outlook.com include:spf-a.hotmail.com include:_spf-ssg-b.microsoft.com include:_spf-ssg-c.microsoft.com ~all"

    which is ~8 lookups, which one do I drop if we use only email? Will using IP will help in anyway

  • I'm in the same boat.

    I read another post that says you have reduced the number of look ups to 7 (including the outlook.com lookup itself). That post was from April 2012 though, and it looks like you have bumped it back up to 8, plus outlook.com itself, which makes a total of 9.

    I need to add 2 more look ups to my spf, but I am unable to because of outlook.com taking up 9 of them already.

    Does anyone have any suggestions on how to "rework" the outlook.com spf to free up at least one dns lookup?

  • I have the same problem. I have only three spf records: outlook.com, newsletter system and webshop. The newsletter and webshop don't lookup more records, but outlook.com will loopup 9! I think that is ridiculous!

    Is there any support employee that can help? I don't understand the technet link

  • vamsoft.com/.../spf-policy-tester  shows the actual 8 queries that the new SPF guideline for o365 (spf.protection.outlook.com) uses.   Just plug in a fake IP (1.2.3.4) and your email address and watch how it does the evaluation.  Now, note it does not actually cause a failure due to too many DNS lookups (it will exceed 10), but it will show you exactly the number of queries your current SPF requires.

    1 out of 1 people found this post helpful.

  • I have the same issue/complaint...  I have application, newsletter, and outlook.  I have the too many DNS Lookups issue.  is there any other creative way of addressing this?  or could MS consolidate their mail sources!