Newbie to this forum here. I need to reduce the number of additional DNS lookups on our SPF record, from 12 to the recommended maximum of 10 (or fewer if possible). Thanks to advice on another forum I checked our domain on dmarcian’s SPF Surveyor, and discovered that 9 of the additional DNS lookups seem to be related to an external email marketing service that we use to send out our monthly charity newsletter. Because we were finding a number of our newsletter emails were bouncing the email marketing service we use recommended we add their domain & IP’s to our SPF record, which we did. But now it looks like adding their domains and IP’s to our record, has resulted in some ‘extra’ lookups being added that we weren’t aware of as follows: include:mail.zendesk.com include:_spf.salesforce.com include:_spf.google.com include:u17235485.wl236.sendgrid.net
Also - and this might sound a bit dim, but I did wonder, since we send our newsletter through an external email marketing service, (so they go out via their server, not ours) why would we need their domain & IP addresses to be included on our own SPF record anyway? Hence I’m now wondering if we can get rid of any of these extra lookups, or if we delete the email marketing service from our SPF record altogether.
Thanks for any help!
Welcome to the dmarcian forum.
damarcian provides an online resource that lists the ability of third-party senders to send authenticated mail on behalf of their customer domains. You may want to cross reference your email sending partners against that list.
Determining which partners make sense to merge into your SPF depends on how they send. If they don’t use your domain in the return-path, there really isn’t any point in including their SPF in yours, since those messages will never pass DMARC via SPF due to missing alignment.
Thanks for this! I’ve had a look a the ‘Return-Path’ on some of our newsletter sendings, and it doesn’t include our domain name. I’m going to ticket the email marketing service to clarify this, but on the face of it, it looks to me like we may not need them in our own SPF record. I will post back once I know more…
Thanks for this! You were spot on, our domain is not used in the return-path for our newsletter emails, so we have removed them from our SPF record. Having re-run the SPF check we now only have 3 DNS lookups - problem solved!
Hopefully they have a mechanism for DKIM authentication if they use your domain in the From field of the message.
Yes, they do have DKIM set up on their servers. Our domain is mentioned within the “From” field, but only before the @ sign, so I don’t think that would refer to our server; I presume the DKIM check for these mailings would be carried out on the domain of the email service (which appears after the @ sign).
(We do also have DKIM enabled on our own server too.)