SPF IP4 Mechanism Limitation

Is there a limit to the # of ip4 mechanisms included in an SPF record?  From what I'm reading, the limit is 10 DNS lookups, but excludes the ip4 mechanism.  I need to specify 20 IP4 addresses, so will the following SPF record be valid?

v=spf1 ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: include:spf.protection.outlook.com -all
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I have not heard of having multiple ip4 entries cause any issues as long as its beyond 255 characters

You can always validate your spf with mxtoolbox.com and if your SPF have any problem, it will point out

Normally you should not have too many included lookups

DNS lookups are counted for included lookups, mx lookup, A and PTR lookups
but when you put ip4 entries, 10 lookups limit should not apply, IMHO
nociSoftware EngineerCommented:
You may not exceed the 254 character limit of DNS, then you may not cause more than 10 lookups.
You could do:
....example.com   TXT "v=spf1 include:extra....example.com include=extra2....example.com ~all"
extra....example.com TXT "v=spf1 ipv4:..... ~all"
extra2....example.com TXT "v=spf1 ipv4:..... ~all"
DrDave242Senior Support EngineerCommented:
From what I'm reading, the limit is 10 DNS lookups, but excludes the ip4 mechanism.

You're not limited to 10 DNS lookups, but 10 mechanisms and modifiers that cause DNS lookups, according to RFC 7208, sec 4.6.4:

Some mechanisms and modifiers (collectively, "terms") cause DNS queries at the time of evaluation, and some do not...SPF implementations MUST limit the total number of those terms to 10 during SPF evaluation, to avoid unreasonable load on the DNS.

The ip4 mechanism, as you mentioned, is exempt from this limitation, since it doesn't cause DNS lookups at all. As far as I can tell, you're only limited by the overall size limitation mentioned in sec 3.4:

The published SPF record for a given domain name SHOULD remain small enough that the results of a query for it will fit within 512 octets. Otherwise, there is a possibility of exceeding a DNS protocol limit.

You should read that entire section, as it mentions that the size of your SPF record might be constrained by other TXT records present at the same level, since they'll also be returned by a query seeking your domain's SPF record.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

nociSoftware EngineerCommented:
The 512 character limit may impose it's own problems  as not all interfaces to update DNS allow it. Also DNSSEC signed zones may case more data be occupied within the DNS packet.
DrDave242Senior Support EngineerCommented:
Agreed - it's a little tricky at best.
fireguy1125Author Commented:
Thanks all, can you clarify if the actual character limit is 255 or 512?

@noci, can you elaborate further on your initial comment?

You could do:
....example.com   TXT "v=spf1 include:extra....example.com include=extra2....example.com ~all"
extra....example.com TXT "v=spf1 ipv4:..... ~all"
extra2....example.com TXT "v=spf1 ipv4:..... ~all"

Mahesh, thanks for the mxtoolbox tip, however I'd prefer to have these verified before actually publishing the changes to avoid any issues.
Thanks again.
nociSoftware EngineerCommented:
First you CAN publish the DNS records and checks them before use and if all is acceptable, then active DKIM signing.
SPF is slightly more tricky, but you can start with a record that only has +all in the end.... (effectively rending the _spf RR futile).
During testing it may be wise to limit the TTL of DNS records to 300 (then you only have to wait 5 minutes max for cached data.
And to set TTL longer after the dust has setteled.
It all depends on how the query (& answer) are worded in total.
Lots of variables involved. f.e. length of the name requested, the value requested, if multitple records exist then the ALL need to fit, with international characters they may take up more than 1 octet / char. Then if signing is involved the singing information is added including references for verification. ....
In practice a safe limit it around 255...  (maybe less...)

http://www.rfc-archive.org/getrfc.php?rfc=883 are the design goals for DNS,  bottom page 11 states limits on packet sizes.  
Which limits Datagram (UDP) queries/answers to  512 octets each.   (finals data in rfc 1034).
(The  RR size is given by an unsigned 16 bit integer, and a single query/answer maximum in a streamed query is 64K)
Your problem is there are not a lot of DNS servers that allow TCP connections.
With query & authorisation info etc. all in the packet you can count on around 255 characters. Besides that many user intefaces are more restricted than this.

The following allows you to split the records to multiple records to accomodate multiple addresses..
_spf.example.com   300 TXT  "v=spf1 include:_extra.example.com include=_extra2.example.com -all"
_extra.example.com      300 TXT "v=spf1 ip4: ip4: ~all"
_extra2.example.com      300 TXT "v=spf1 ip4: ip4: ~all"

Did you eve query the google DKIM records?, or outlook.com ones?
they are nice examples...
dig _spf.google.com txt    

and the lookup the includes mentioned.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
fireguy1125Author Commented:
Thanks all.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Servers

From novice to tech pro — start learning today.