SPF Record Over Lookup Limit Causing Intermittent Delivery Failures

Delivery failing to specific recipients, no pattern

The firm used seven cloud services that sent email on their behalf — CRM, accounting, support desk, marketing, transactional notifications, invoicing, and direct Exchange Online. Each had been added to the SPF record as it was set up, with no audit of the total DNS lookup count. The resulting include chain resolved to 14 DNS lookups — well above the RFC 7208 limit of 10. Providers that enforced the limit strictly were returning permerror and dropping the mail. Providers that were lenient were accepting it. Hence the apparently random pattern of failures.

SPF audit and restructure

• Mapped the full SPF include chain, counting all DNS lookups
• Identified two deprecated service includes — services the firm had stopped using
• Removed deprecated includes and restructured remaining ones to reduce nesting
• Flattened two high-lookup includes to direct IP ranges, bringing total to 7
• Verified the restructured record with lookup-count tooling before publishing
• Added SPF evaluation monitoring to detect future drift

Delivery restored, lookup count under limit

• SPF lookup count reduced from 14 to 7
• Intermittent delivery failures resolved within 24 hours of DNS propagation
• DMARC pass rate increased from 61% to 99.4% in the following reporting period
• Monitoring in place to alert on SPF evaluation failures before they become delivery problems