Did you know that there is a max number of DNS lookups that can be done for an SPF lookup. The number is 10 and that includes any a or mx records along with includes to different hosts. I noticed this when I ran a SPF check on a domain and noticed it was 12. One of the errors is how Zendesk sets up their SPF record. For example their doc says use the following

v=spf1 include:_spf.zdsys.com ~all

Now that’s fine but if we do a

dig txt _spf.zdsys.com

That is one lookup and we get the following back

_spf.zdsys.com.		3600	IN	TXT	"v=spf1 include:_netblocks.zdsys.com ~all"

So they have another dns lookup. So in order to get to Zendesk’s valid servers you need to do an extra dns lookup. It adds up when you use google apps for email since they use around 5 lookups to get to all their hosts.

So I created a simple Nagios check in Python to keep tabs of our SPF record to make sure we stay under the 10 limit.