I'm going through almost exactly the same issue at my employer. We have 11 DNS entries, some brought in by recursion (thanks gmail!) The ip4
and ip6
entries do not contribute, only things that cause a DNS lookup count.
The best fix is to reconfigure sendgrid or mandrill or qualtrics to use a subdomain for all their sending. Something like @customersuccess.mycompany.com
to avoid being brand-specific. This gives you a separate batch of 10 DNS entries and helps partition mail senders from each other.
However it is nigh-on impossible to get a working service reconnfigured in a corporate world.
You can lay down that any new mail-sending service MUST use a suitable subdomain, which is less-impossible.
Technically - both our SPF records are out-of-compliance with RFC 4408 documented at https://datatracker.ietf.org/doc/html/rfc7208 where section 4.6.4 says
In addition to that limit, the evaluation of each "MX" record MUST NOT result in querying more than 10 address records -- either "A" or "AAAA"
resource records. If this limit is exceeded, the "mx" mechanism MUST
produce a "permerror" result.
Technically, any MTA could start rejecting our company's emails with a PERMERROR at any time.
That has not happened in my experience, and while it is not impossible, the likelyhood is very low. And if someone did implement this, it would be one/some mail-receiving MTAs not all at once.
Related, I found that https://www.proofpoint.com/us/cybersecurity-tools/dmarc-spf-creation-wizard#spf-check works well for doing a nice check on SPF.
microsoft.com
has exactly 10 DNS lookups,
toyota.com
has 18 (and a typo around the use of mx
in the wrong place, and some pieces are too big for a UDP packet too. )
Upshot - yes it's wrong, but not really enforced at this time.
Update a couple weeks later - I have identified that there are some few mail servers which accept then silently drop emails because of this. So I'm attempting to update my SPF record to be flattened - see https://security.stackexchange.com/questions/264167/flattening-an-spf-record-drawbacks-and-downsides
include
mechanism. Just followdig txt _spf.google.com +short
to see what I mean. Haven't had to deal with this problem before so haven't tested creating my own solution.v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all
.Results - PermError SPF Permanent Error: Too many DNS lookups
after adding the two new includes.