What’s the Maximum Length for an SPF Record?

450 characters minus the length of the domain name and minus the length of any other TXT record value. This is the upper exclusive limit recommended in RFC 7208, the document that specifies SPF.

So, if you’re adding an SPF record to example.com (which is 11 characters long) and you already have another TXT record with the value google-site-verification=abcdefghijklmnopqrstuvwxyz1234567890abcdefg (68 characters), your SPF record should be less than 371 characters (= 450 - 11 - 68).

Is this a hard limit and where does it come from?

When DNS was established in the 1980s, the maximum size for a UDP response was set at 512 bytes. Responses exceeding this limit required a fallback to TCP, which was initially seen as merely an optional component of DNS, leading to inconsistent implementation. Even today, some DNS resolvers still face challenges with falling back to TCP for large DNS packets. A 2022 study concluded that between 2.7% (optimistic estimate) and 4.8% (pessimistic estimate) of resolvers were incapable of TCP fallback. A similar situation applies to EDNS, a specification for increasing the UDP message size limit from 512 to 4096 bytes. Despite EDNS being introduced in 1999, some firewalls continue to block UDP packets larger than 512 bytes.

This reality makes the ancient 512-byte size limit still relevant today. Although the theoretical upper limit is 65535 bytes (the maximum possible size of a TCP packet), aiming for optimal compatibility means keeping your domain’s TXT records short enough to fit within a 512-byte UDP packet. But what does this mean for your SPF record? How many characters can you include before the DNS message size exceeds 512 bytes? There isn’t a straightforward answer to this question because the size of a DNS message depends on several factors, including the length of the domain name, whether the DNS server uses message compression, and the number of returned records. For those who enjoy a challenge, studying RFC 1035 and using a packet sniffer like Wireshark to analyze DNS packets can provide insights into how DNS messages are formatted.

A more practical approach is to adhere to the 450-byte limit recommended in the SPF specification, which is a safe guideline. Alternatively, you can use dig to check the current message size for your domain and use that as a starting point for your calculations:

dig @8.8.8.8 dmarcchecker.app TXT

The MSG SIZE rcvd: 123 output in this example indicates that the UDP response size is 123 bytes. Considering that the current TXT record value (v=spf1 include:spf.messagingengine.com include:amazonses.com -all) is 65 characters long, you can have a maximum SPF record length of approximately 454 characters (= 512 - 123 + 65). Actually, it’s precisely 453 characters because if the value exceeds 255 characters, it must be divided into two strings, requiring an additional length byte in the message.

Another easy way to check the DNS response size is by using our DMARC Checker. In the SPF section under “Log messages,” it displays the received byte count and also issues a warning if it had to fall back to TCP to retrieve the response.

How do major email providers handle large SPF records?

To understand how the big email providers handle large SPF records, we did a small experiment. We expanded our SPF record by adding unknown modifiers (which should be ignored by SPF validators) and observed the responses from Gmail, Outlook.com, and Yahoo Mail. Interestingly, none of the email services appeared to impose a limit on the size of the SPF record. Our SPF record was successfully retrieved and validated even after expanding it to the 65535-byte TCP packet size limit.

Next, we created SPF records with different numbers of ip4 and ip6 mechanisms. While Outlook.com and Yahoo Mail again accepted all our records without issue, Gmail only checked the first 101 mechanisms. If none of those matched, it gave up and produced a neutral result. This suggests that it’s probably best to keep your SPF record to at most 101 mechanisms.

What can I do to shorten my SPF record?

If you need to streamline your SPF record, here are a few strategies you might find useful:

• Opt for IP ranges rather than enumerating each individual IP address of your mail servers. For example, ip4:192.168.0.1/24 covers all IP addresses from 192.168.0.1 to 192.168.0.255. If you’re already using IP ranges, ensure there’s no redundancy or overlap.
• Break down your record into smaller sections, assign these sections to SPF-specific subdomains, and then reference them in your primary domain’s SPF record. For instance, create an SPF record for the subdomain _spf1.example.com containing part of your SPF mechanisms, and another for _spf2.example.com with the rest. Your main domain’s SPF record could then be v=spf1 include:_spf1.example.com include:_spf2.example.com -all.
• Consider removing unnecessary TXT records from your domain. Many domains accumulate verification tokens and records for services no longer in use. Cleaning these up can make more room for your SPF record.
• For those looking for a more advanced solution, using macros can significantly shorten an SPF record. An example is v=spf1 exists:%{i}._spf.example.com -all, which contains the %{i} macro. This macro dynamically replaces itself with the sender’s IP address. For instance, if 192.168.0.1 sends an email, the exists mechanism will verify if a corresponding subdomain 192.168.0.1._spf.example.com exists by checking for an A record.