Reducing DNS lookups on SPF record

Hello,
I am hoping for advice please, on the best way to reduce the number of additional DNS lookups on our SPF record. We currently have 12, and so would like to reduce it to the recommended maximum of 10. I have read that ‘SPF Flattening’ is not a good idea, (I don’t know what that is anyway), so hoping for other suggestions.

Several of the IP addresses on the “Pass senders with IP address…” list are Cloudflare IP addresses. I’m a bit confused by this, as whilst our website pages are served via Cloudflare, we don’t as far as I know send any emails through Cloudflare, (unless I am misunderstanding how email delivery works - quite possible).

The majority of our email goes out via our own webserver, plus email from two other sources, so those are in our DNS lookup rules, but that’s all, just those three sources. So it kind of looks to me as though the Cloudflare IPs on the list of rules are what makes us have 12 DNS lookups… does that sound right? Any suggestions or advice welcome!

Not really.

Aside from the Email routing product which can be used to forward your inbound domain email to a third-party mailbox, Cloudflare has no offering that involves email.

Do you know who created your SPF record?
Is that person still around to ask why it contains what it does?

If you were using a DMARC reporting service, it would be relatively easy to pare back your SPF record to only the portions that you know that it should contain while monitoring to see if you had missed any legitimate sources. I use dmarcian in my practice, but you may able to achieve similar results with other platforms.

Since any SPF that contains over 10 DNS lookups fails, it shouldn’t really hurt to strip it down to what you know is needed. Just be sure to keep a copy of the previous version’s contents for reference.

If you want to drill deeper into the matter than is appropriate for the Cloudflare Community, dmarcian has a forum devoted to the topic.

Hi, Thanks so much for your reply. I’m now not sure if I have been looking in the right place, to see what exactly our “12 DNS queries” are.

No one from our side has added Cloudflare IP’s to our SPF record, the only reason I thought that Cloudflare IP’s were included is because they are on the list when I looked up our domain using an SPF Validator tool (after we had activated DKIM on our server) - I can’t actually see those Cloudflare IP’s on the DNS page in our Cloudflare portal. So…

I think I need to understand where / how I go to look at what our our “12 DNS queries” actually are. I thought our SPF record was the TXT record starting with “v=spf1…” but that only lists three allowed servers from where our emails originate (our own website plus two other sources). The SPF validator results tell me that 'The SPF record exceeds the maximum of 10 DNS queries to evaluate." and that we have “12 Required Queries” in our SPF record, so how can I see what those 12 queries are?

Sorry to sound dim, but we don’t have anyone in our (charitable) organisation who knows about these things! Thanks for any further advice!

Enter your domain name into the SPF Surveyor at dmarcian. It will show you exactly what is going on.

Thank you! I did that and it has all become clear!

We send out our charity newsletter through an email marketing service, and because we were finding a number of our news emails were bouncing they recommended we ad their domain & IP’s to our SPF record, which we did. However the ‘Dmarcian’ results I just looked at show that adding them to our record has created 9 DNS lookups!!! In addition to the domains and IP’s that we added, it seems to have also added some ‘extra’ lookups that we weren’t aware of as follows: include:mail.zendesk.com include:_spf.salesforce.com include:_spf.google.com include:u17235485.wl236.sendgrid.net
So I’m now wondering if we can get rid of these extra lookups, or if we delete the email marketing service from our SPF record altogether. We only added them on to the record a couple of weeks ago - had no idea about these extra ‘lookups’!
What do you think?

I just had another thought - and please forgive me if this sounds very dim indeed - but as we send our newsletter through an external email marketing service, and those go out from their server (not ours) then why would we need their domain & IP addresses included on our own SPF record anyway?

Thanks for any thoughts / advice !

1 Like

I have answers, but we are drifting pretty far off topic for the Cloudflare Community. If you want to pick this up over on the dmarcian forums, I’m happy to continue the conversation there.

Ah, OK I hadn’t realised. Thank you! I will join up to the dmarcian forum then, and post there. I will aim to register as “DavetheCat” there too, to save any confusion.

Just to tie this thread up, in case anyone has the same issue: In our case, as we send our newsletter through an external email marketing service, and so those go out from their server (not ours) then we didn’t need to include their details on our own SPF record. Removing them from our SPF record has solved our issue.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.