Dynamic SPF is an OnDMARC feature that allows you to beat the 10 DNS lookup limit in a simple and elegant way.

When an email is sent from your domain, the receiving server will check your SPF record to see if the email has been sent from an authorised IP address. The receiving server will issue up to 10 DNS lookups to carry out this check. This is limited as part of the SPF specification to limit the potential for abuse and DoS attacks against the DNS infrastructure of the internet.

As you configure all your email services as part of your DMARC implementation you might find out that you will need to go over this limit. Dynamic SPF allows you to have more than the normally available number of authorized services using the SPF authentication mechanism. We give you a record that replaces all your mechanisms with a single include that dynamically combines all your authorized services correctly at the point of query. This prevents your authorized traffic from failing SPF validation.

These SPF mechanisms are typically used when you authorise cloud services like Office 365, Google Workspace, your HR system, etc to send on your behalf. If your organisation uses a number of these services, you may quickly find that this limit is insufficient. Once your SPF record exceeds this limit, your email validation will start to fail affecting your deliverability.

It is important to remember that each sending source may have more than one DNS lookup embedded in it, for example Google Workspace uses 4.

Now that you know what Dynamic SPF is, learn how to configure it!

Did this answer your question?