Are SPF records checked depth first or breadth first (or something else)

Question

We have a domain which has 11 includes; so is failing SPF validation as it's gone over the limit. Most of the lookups are for third party resources, so flattenning the SPF record isn't ideal; we'd rather ensure that things are updated dynamically when the third parties update their records.

One of the lookups is a legacy value that we've not found documentation for; so we're not sure whether it's required... we're asking around before we remove it, but it's a large company with lots of cul-de-sacs and crevices in which requirement owners hide, so checking such things takes time.

We're thinking that having more than 10 lookups is only an issue for those records which exceed the 10th lookup; all values prior to that should succeed even if there are more in total. As such, if we can move the unknown lookup to the end that will reduce the risk of something we care about being impacted.

• Is that assumption correct / do the first 10 SPF lookups work when there are more than 10 in total?

• If so, what is the 11th record - i.e. are the lookups calculated breadth first, depth first, or is it not specified so depends on provider?

Answer 1

Yes, the lookup limit is evaluated ‘as you go’, that is depth-first. While this is not explicitly stated in the spec, it is implied by the evaluation algorithm.

In principle what you propose works. If the first ten lookups should yield the pass result for a legitimate sender, that sender will indeed get the pass result. However, anything past those ten lookups will evaluate to permerror, instead of the fail or softfail result mandated by any -all or ~all directive in your record.