16

I am trying to setup SPF on a server - mail works fine and validates according to mxtoolbox and other online checks but when I check it using http://www.kitterman.com/spf/validate.html I get an error:

PermError SPF Permanent Error: Void lookup limit of 2 exceeded

I am aware of a limit of 10 lookups but have not seen this error before.

SPF record is:

v=spf1 a mx ip4:IP1 ip4:IP2 ip6:IP3 include:spf-a.outlook.com 
include:spf-b.outlook.com include:spf-c.outlook.com 
include:spf.messaging.microsoft.com include:_spf.zdsys.com 
include:spf.mail.intercom.io -all

What is the void lookup limit refering to?

bhttoan
  • 650
  • 3
  • 15
  • 27

1 Answers1

15

The void lookup limit was introduced in RFC 7208 and refers to DNS lookups which either return an empty response (NOERROR with no answers) or an NXDOMAIN response. This is a separate count from the 10 DNS lookup overall count.

As described at the end of Section 11.1, there may be cases where it is useful to limit the number of "terms" for which DNS queries return either a positive answer (RCODE 0) with an answer count of 0, or a "Name Error" (RCODE 3) answer. These are sometimes collectively referred to as "void lookups". SPF implementations SHOULD limit "void lookups" to two. An implementation MAY choose to make such a limit configurable. In this case, a default of two is RECOMMENDED. Exceeding the limit produces a "permerror" result.

This is meant to help prevent erroneous or malicious SPF records from contributing to a DNS-based denial of service attack.

In your case, the problematic part seems to be:

include:spf.messaging.microsoft.com

Its SPF record is:

v=spf1 ptr:protection.outlook.com ptr:messaging.microsoft.com ptr:o365filtering.com -all

All three of those records, if looked up, return either NOERROR with no records or NXDOMAIN.

Since three records didn't return anything, you exceeded the void lookup limit of 2, and the SPF record fails.

Community
  • 1
Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • Perfect thanks, I checked and got an updated SPF record for Office 365 and upon using that the error has gone – bhttoan Feb 09 '15 at 21:08
  • Great info. What's a good way to lookup the records to see what they return? I need to figure out which of mine is the problem. – mlissner Oct 31 '15 at 17:03
  • @mlissner There are plenty of online SPF validator web sites you can try. – Michael Hampton Oct 31 '15 at 17:22
  • 2
    I have found that at least in case of the `python-spf` implementation the lookups performed depend on the IP address being validated and thus the number of queries returning no record varies. Since the domain owner has no control over which IP addresses will need to be validated a consequence of that is that any `a` or `mx` specification in the SPF record must point only to dual stack names in order to prevent spurious errors. – kasperd Nov 24 '17 at 23:49
  • In my case I had assigned 2 servers mail1.mydomain.org and mail2.mydomain.org which both targeted the same mydomain.org server. When one of these was removed and the remaining one simply named mydomain.org the failed lookups error went away. – Trunk Apr 18 '23 at 16:20