Dynamic SPF is a OnDMARC feature that allows you to have more than 10 DNS lookups.

When an email is sent from your domain the receiving server will check your SPF records to see if the email has been sent from an authorised IP address. The receiving server will issue up to 10 DNS lookups to carry out this check. This is limited as part of the SPF specification to limit the potential for abuse and DoS attacks against the DNS infrastructure of the internet.

The DNS lookups are typically used when you authorise cloud services like Office 365, Gmail, Mailchimp etc to send on your behalf. If your organisation uses a number of these services, you may quickly find that this limit is insufficient. Once your SPF record exceeds this limit, your email validation will start to fail affecting your deliverability.

It is important to remember that each sending source typically has more than one DNS lookup embedded in it, for example GSuite uses 4.

For Geeks:

Regarding Dynamic SPF, the SPF protocol has a DDoS protection that limits the number of DNS lookups that it can perform on your SPF record to 10. As you configure all your email services as part of your DMARC implementation you might find out that you will need to go over this limit. Dynamic SPF allows you to have more than the normally available number of authorized services using the SPF authentication mechanism. We give you a record that replaces all your mechanisms with a single include that dynamically combines all your authorized services correctly at the point of query. This prevents your authorized traffic from failing SPF validation.

Did this answer your question?