Office365 SPF record has too many lookups

email spf microsoft-office-365

5,927

Solution 1

As of some recent date, Microsoft has "fixed" this problem by getting rid of all sub-records and using 2 or 3 "ptr" records instead:

$ dig TXT spf.protection.outlook.com
spf.protection.outlook.com. IN  TXT "v=spf1 ptr:protection.outlook.com ptr:o365filtering.com -all"

$ dig TXT spf.messaging.microsoft.com
spf.messaging.microsoft.com. IN TXT "v=spf1 ptr:protection.outlook.com ptr:messaging.microsoft.com ptr:o365filtering.com -all"

Here's the problem: while this will help Office 365 clients avoid stay below the "Too many lookups" PermError ... it does so by forcing every mailserver in the world to do (expensive) PTR lookups for every IP address that connects to them.

Per the SPF specification:

If at all possible, you should avoid using this mechanism in your SPF record, because it will result in a larger number of expensive DNS lookups.

Solution 2

We have also found this issue. Microsoft are 'encouraging' you to use Office 365 exclusively for your email as there is no room now to add new items.

The way we got around it was twofold.

First, we can pare down DNS lookups by adding the other entries as explicit IPv4 entries. This lets us add a number of explicit IPs before we include:outlook.com

Secondly, we set up a separate subdomain under our main domain for the Office 365 stuff. This way, emails @foo.company.com get the Office 365 SPF, and emails @comapny.com get our normal SPF. It's not perfect, but fortunately the places where we have used Office 365 are all able to use email addresses within the subdomain rather than the base domain.

5,927

Author by

Sammitch

Professional IT Squirrel Herder and advocate of hitting problems with sticks.

Updated on September 18, 2022

Comments

Sammitch almost 2 years
For some utterly ridiculous administrative reasons we've got a split domain with one mailbox on Office365 which requires us to add include:outlook.com to our SPF record. The problem with this is that that rule alone requires nine DNS lookups of the maximum of 10.

Seriously, it's horrible. Just look at it:
```
v=spf1
include:spf-a.outlook.com
include:spf-b.outlook.com
ip4:157.55.9.128/25
include:spfa.bigfish.com
include:spfb.bigfish.com
include:spfc.bigfish.com
include:spf-a.hotmail.com
include:_spf-ssg-b.microsoft.com
include:_spf-ssg-c.microsoft.com
~all
```
Given that we have our own large-ish mail system we need to have rules for a, mx, include:_spf1.mydomain.com, and include:_spf2.mydomain.com which puts us at 13 DNS lookups which causes PERMERRORs with strict SPF validators, and completely unreliable/unpredictable validation with non-strict/badly implemented validators.

Is it possible to somehow eliminate 3 of those include: rules from the bloated outlook.com record, but still cover the servers used by O365?

Edit:

Commentors have mentioned that we should simply use the shorter spf.protection.outlook.com record. While that is news to me, and it is shorter, it's only one record shorter:
```
spf.protection.outlook.com
  include:spf-a.outlook.com
  include:spf-b.outlook.com
  include:spf-c.outlook.com
  include:spf.messaging.microsoft.com
    include:spfa.frontbridge.com
    include:spfb.frontbridge.com
    include:spfc.frontbridge.com
```
Edit²

I suppose we can technically pare this down to:
```
v=spf1 a mx include:_spf1.mydomain.com include:_spf2.mydomain.com include:spf-a.outlook.com include:spf-b.outlook.com include:spf-c.outlook.com include:spfa.frontbridge.com include:spfb.frontbridge.com include:spfc.frontbridge.com ~all
```
but the potential issues I see with this are:
1. We need to keep abreast of any changes to the parent spf.protection.outlook.com and spf.messaging.microsoft.com records. If anything is changed or [god forbid] added we would have to manually update ours to reflect that.
2. With our actual domain name the record's length is 260 chars, which would require 2 strings for the TXT record, and I honestly don't trust that all of the DNS clients and SPF resolvers out there will properly accept a TXT record longer than 255 bytes.
- gusya59 over 10 years
  
  Can you not just add spf.protection.outlook.com for all of Office365? technet.microsoft.com/en-us/library/hh852557.aspx
- kralyk over 10 years
  
  Why isn't the SPF record for O365 the simple current one? include:spf.protection.outlook.com (curious to be honest, never seen what you have setup...did the portal tell you to put all of that?)
- Sammitch over 10 years
  
  All the documentation I found said to use include:outlook.com, so spf.protection.outlook.com is news to me. The problem remains though, since that record still requires 8 lookups, and I need to get it down to 6 or lower.
- Atulmaharaj about 10 years
  
  Don't forget to count the two PTR lookups under 'spfa.frontbridge.com'. According to RFC 7208 they also count toward the limit of 10 lookups. :(
John Hart over 9 years

@ChrisS - I thought about that too, however the SPF specification does state that the "ptr:" mechanism has to be verified both ways for reciprocal DNS - the receiving mailserver should first do a PTR on the IP, and then do an A on the resulting hostname, and the IP must be listed in the A record. So I don't think it's a security hole, at least not for conforming SPF implementations.
Philip over 9 years

Ah, good find there. I wasn't aware of the caveat.