I am trying to setup SPF on a server – mail works fine and validates according to mxtoolbox and other online checks but when I check it using http://www.kitterman.com/spf/validate.html I get an error:
PermError SPF Permanent Error: Void lookup limit of 2 exceeded
I am aware of a limit of 10 lookups but have not seen this error before.
SPF record is:
v=spf1 a mx ip4:IP1 ip4:IP2 ip6:IP3 include:spf-a.outlook.com include:spf-b.outlook.com include:spf-c.outlook.com include:spf.messaging.microsoft.com include:_spf.zdsys.com include:spf.mail.intercom.io -all
What is the void lookup limit refering to?
The void lookup limit was introduced in RFC 7208 and refers to DNS lookups which either return an empty response (NOERROR with no answers) or an NXDOMAIN response. This is a separate count from the 10 DNS lookup overall count.
As described at the end of Section 11.1, there may be cases where it is useful to limit the number of “terms” for which DNS queries return either a positive answer (RCODE 0) with an answer count of 0, or a “Name Error” (RCODE 3) answer. These are sometimes collectively referred to as “void lookups”. SPF implementations SHOULD limit “void lookups” to two. An implementation MAY choose to make such a limit configurable. In this case, a default of two is RECOMMENDED. Exceeding the limit produces a “permerror” result.
This is meant to help prevent erroneous or malicious SPF records from contributing to a DNS-based denial of service attack.
In your case, the problematic part seems to be:
Its SPF record is:
v=spf1 ptr:protection.outlook.com ptr:messaging.microsoft.com ptr:o365filtering.com -all
All three of those records, if looked up, return either NOERROR with no records or NXDOMAIN.
Since three records didn’t return anything, you exceeded the void lookup limit of 2, and the SPF record fails.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.