Sender Policy Framework (SPF) records have a 255 character string limit in Domain Name System (DNS). If you have an SPF record with a string longer than 255 characters, you will fail the SPF authentication check.
Here are some common ways to optimize your SPF record character space:
Remove mechanisms that resolve to the same domain
Remove any mechanisms from your SPF record that resolve to the same domain.
For example, Return Path’s SPF record references both gmail.com and example.com’s SPF record. However, example.com’s SPF record already has an include statement for gmail.com. This means that Return Path only needs an include statement for example.com.
Avoid ptr mechanisms
You should avoid using the ptr mechanism because it is not supported by SPF specification anymore and will count toward your character limit.
The ptr mechanism is a type of DNS record that resolves an IP address to a domain or hostname.
Remove legacy partner and vendor domains
You should remove any include statements that redirect the SPF check to a vendors or partners’ SPF record who no longer send email on your behalf. Removing these eliminates unnecessary character space.
Senders use include statements to redirect the SPF check to a vendor or partner’s SPF record whose IPs often change. Using the include statement of a partner or vendor means the sender does not have to consistently update those changing IP ranges in their own SPF record.
Check the address range
If you have many ip4 and ip6 mechanisms, make sure they’re not redundant. For example, remove any ip4 or ip6 mechanisms that you aren’t using anymore and check to see if there are any IP address ranges that can be merged.
Here’s an example of IP address ranges that can be merged using CIDR notation:
v=spf1 a mx ip4:192.168.0.0/24 ip4:192.168.1.0/24 -all
ip4:192.168.0.0/24 = 256 IP addresses; 192.168.0.0 - 192.168.0.255
ip4:192.168.1.0/24 = 256 IP addresses; 192.168.1.0 - 192.168.1.255
Here’s what the above example can be replaced with:
v=spf1 a mx ip4:192.168.0.4/23 -all
ip4:192.168.0.0/23= 512 IP addresses; 192.168.0.0 - 192.168.1.255
Create an SPF specific subdomain
Another effective way to reduce the number of characters in an SPF record is to create an SPF specific subdomain represented as: _spf.domain.com. Using “_spf” as the subdomain name signals to a mailbox provider to treat the subdomain as a storage container, which is only used for listing additional SPF information.
Some larger organizations may need to create multiple SPF specific subdomains. If you need to create more than one SPF specific subdomain, use the following format: _spf, _spf1, _spf2, and so on.
For example, Google has multiple IP addresses represented in different netblocks due to the size of their organization. Attempting to place all of this information into one SPF record for google.com would exceed 255 characters. To resolve this, Google created smaller storage containers of SPF records with IP addresses that do not exceed 255 characters and combined them together using include statements to stay under the 255 character limit.
Here is a list of netblocks used by Google and their corresponding SPF records:
v=spf1 ip4:126.96.36.199/20 ip4:188.8.131.52/19 ip4:184.108.40.206/20 ip4:220.127.116.11/20 ip4:18.104.22.168/18 ip4:22.214.171.124/16 ip4:126.96.36.199/21 ip4:188.8.131.52/16 ip4:184.108.40.206/20 ip4:220.127.116.11/17 ip4:18.104.22.168/19 ip4:22.214.171.124/19 ~all
v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all
v=spf1 ip4:126.96.36.199/19 ~all
In order to keep the google.com SPF record under 255 characters, Google created an SPF specific subdomain of _spf.google.com and references each netblock using an include statement in the SPF record. The include statement instructs a mailbox provider to search for additional SPF information for the domain listed.
v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all
Google then adds their SPF specific subdomain _spf.google.com with an include statement to the google.com SPF record. The end result is a simple SPF record for google.com that does not exceed 255 characters.
v=spf1 include:_spf.google.com ~all
Prior to creating an SPF specific subdomain, try to use CIDR notation for IP ranges in order to reduce the length of your SPF record under the 255 character limit.