Ensure that the Sender Policy Framework (SPF) implemented for your Amazon Route 53 domains does not exceed more than 10 DNS lookups during SPF evaluation in order to avoid unreasonable load on the DNS infrastructure and to prevent threats such as DDoS attacks.
The Sender Policy Framework implementation for your Amazon Route 53 domains can help you detect and stop email address spoofing in order to reduce spam and increase your domains trustworthiness. To fulfill the Sender Policy Framework (SPF) requirements, your SPF implementation must follow the framework specification that limits the number of DNS lookups to 10 (RFC 7208 section 4.6.4). This limit helps reduce the amount of resources (bandwidth, time, CPU, memory) used by mailbox providers when checking SPF DNS records. If this limit is exceeded, an email message may fail SPF inspection which can cause deliverability issues and may hurt your domain reputation as the message may be flagged as spam or potential fraud. The DNS lookup limit is also imposed to prevent DDoS attacks against the DNS infrastructure.
Note: To follow best practices, you must limit the number of SPF mechanisms and modifiers that do DNS lookups to 10 per SPF evaluation, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier. If this number is exceeded during an SPF evaluation, a "PermError" error is returned. The "include", "a", "mx", "ptr", "exists" mechanisms and the "redirect" modifier do count against this limit. For example, the following SPF policy: v=spf1 a -all requires the receiver to perform 1 additional DNS lookup (e.g. domain.com A) to fully evaluate. The "all", "ip4", and "ip6" mechanisms do not require DNS lookups and therefore do not count against this limit. As an example, this conformity rule demonstrates how to audit and remediate an SPF implementation that uses a combination of "include" and "a" mechanisms.
Audit
To determine if your Amazon Route 53 SPF implementation exceeds the DNS lookup limit, perform the following actions:
Remediation / Resolution
To reduce the number of DNS lookups during Sender Policy Framework (SPF) evaluation, you must check your SPF records and remove any services that you may no longer use and/or use SPF record flattening. You can use SPF record flattening for each mechanism/modifier included in your SPF record by querying the DNS to get the IP addresses and replace the original mechanism/modifier with the IP addresses. Each time an SPF record mechanism/modifier is replaced, the total DNS lookup count is decremented by 1. To reduce the number of DNS lookups for your non-compliant SPF records, perform the following actions:
References
- AWS Documentation
- Amazon Route 53 FAQs
- What is Amazon Route 53?
- Working with public hosted zones
- Working with records
- Creating records by using the Amazon Route 53 console
- AWS Command Line Interface (CLI) Documentation
- route53
- list-hosted-zones
- list-resource-record-sets
- change-resource-record-sets
- get-change