DomainSecurityScanner
Medium SeveritySPF

Fix: SPF Record Exceeds 255 Characters

Your SPF record exceeds the 255-character limit for a single DNS TXT string. While DNS TXT records can contain multiple strings that are concatenated, some older resolvers may not handle this correctly.

Quick Fix

Split the SPF record into multiple strings within a single TXT record, or flatten includes.

What This Error Means

A single DNS TXT string has a 255-character maximum. SPF records longer than this must be split into multiple strings within one TXT record. Most modern DNS resolvers concatenate these strings automatically, but issues can occur.

Why It Matters

If the record is not properly split, some DNS resolvers may truncate it, causing SPF evaluation to fail with a PermError. An overly long SPF record also often indicates too many includes, which may push you past the 10-lookup limit.

Step-by-Step Fix

1

Check your current record length

Retrieve the record and count characters.

Example
dig +short TXT yourdomain.com | grep "v=spf1"
2

Split into multiple strings in a single TXT record

If your DNS provider supports it, split the value into multiple quoted strings within one TXT record.

Before
v=spf1 include:_spf.google.com include:sendgrid.net include:spf.protection.outlook.com include:mail.zendesk.com include:amazonses.com ip4:203.0.113.0/24 ip4:198.51.100.0/24 -all
After
"v=spf1 include:_spf.google.com include:sendgrid.net include:spf.protection.outlook.com " "include:mail.zendesk.com include:amazonses.com ip4:203.0.113.0/24 ip4:198.51.100.0/24 -all"
3

Flatten unnecessary includes

The better long-term solution is to reduce the record length by replacing includes with ip4/ip6 mechanisms where the IP ranges are stable.

Before
v=spf1 include:_spf.google.com include:sendgrid.net include:spf.protection.outlook.com include:mail.zendesk.com include:amazonses.com -all
After
v=spf1 include:_spf.google.com include:sendgrid.net include:amazonses.com -all

Common Gotchas

  • Do not create two separate TXT records with v=spf1 — that causes a multiple SPF records error. The split must be within a single TXT record as multiple strings.
  • Some DNS management UIs handle the splitting automatically. Others require you to manually add the quotes for each 255-character segment.
  • A long SPF record is usually a sign of too many includes, which likely also violates the 10-lookup limit.

Verify Your Fix

After making changes, use our free scanner to verify the fix is working correctly. DNS changes can take up to 48 hours to propagate, but most propagate within minutes.

Frequently Asked Questions

What is the maximum length of an SPF record?

A single DNS TXT string is limited to 255 characters. However, a TXT record can contain multiple strings that are concatenated, so the practical limit is much higher. The real concern is the 10-lookup limit.

How do I split an SPF record into multiple strings?

In your DNS provider, the value would look like: "v=spf1 include:_spf.google.com ..." "include:other.com -all" — two quoted strings within a single TXT record.

Will splitting the record cause any issues?

Modern DNS resolvers handle multi-string TXT records correctly. Very old or misconfigured resolvers might not concatenate them properly, but this is rare and fully compliant with DNS standards.

Related Issues

Too Many DNS LookupsSPF PermErrorMultiple SPF RecordsAll Fix Guides →