SPF health check returning void lookups

Hello! I am trying to get some help adjusting my SPF record. I am trying to understand how I can go about identifying which items in my record constitute "void lookups". I am getting a notice saying I am exceeding 2 when checking my domain health. I see what they are from searching, but I cannot find any help in deciphering which items are actually causing the void count I have. Anyone have any suggestions to go about doing this?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

A "Void Lookup" refers to DNS lookups which either return an empty response (NOERROR with no answers) or an NXDOMAIN response.

This is meant to help prevent erroneous or malicious SPF records from contributing to a DNS-based denial of service attack.

I cannot find any help in deciphering which items are actually causing the void count I have. Anyone have any suggestions to go about doing this?

Without looking at what you're using for a SPF record, I couldn't even begin to guess
mrosierAuthor Commented:
Hi Ken, thanks for the info, I saw those too. I just wasn't sure what those responses meant. Can you dumb that down for me as to what triggers those responses?
Essentially the DNS server contacted didn't find a match and didn't have a result to provide.

It's like running a "whois" on Microsoft.com. Typed correctly, you'll get a response, but typed incorrectly "Microwsot.com" you'll get an "no result found". This is your "Void Lookup" error

But as I stated earlier, without looking at what you're using, nobody can tell you what's causing the error
Exploring SharePoint 2016

Explore SharePoint 2016, the web-based, collaborative platform that integrates with Microsoft Office to provide intranets, secure document management, and collaboration so you can develop your online and offline capabilities.

mrosierAuthor Commented:
To ask a really dumb question, is it safe for me to provide that here? I would, but I am fairly a newbie to DNS and don't know. I will gladly provide it if it wouldn't be considered unsafe to post?
To ask a really dumb question, is it safe for me to provide that here?

That's not dumb at all, it's a very REAL concern that you should have regarding the posting of potentially sensitive information online.

But in this case yea it's safe. The information is readily obtained

Actually if you wanted, you could just post the domain name in question, and I can pull it up

mrosierAuthor Commented:
ok thanks Ken! The domain is XXXXXXX.com.

Try this

Open in new window

Your mail servers mx01/mx02 were listed incorrectly, however you've provided ip4 rules for them so the "mx" tag isn't needed.
Each outgoing mail server can only be listed 1x

Comment out your existing spf record and see if the one above fixes things


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Let me know when you've done it so I can remove the IP information from my post
mrosierAuthor Commented:
Thanks Ken! I just applied the record you provided. I of course copied my previous one for safe-keeping. Feel free to edit out IP info. But do you mind taking a look at my XXXXXXX1.com one as well while we're at it? That is my primary domain, and it had voids as well. We just use that for far less mail, so I never bothered with it since it has never had problems delivering. Also, to be clear, in my include statement, if I have IPs in XXXXXXX1.com that I ALSO have in XXXXXXX.com, that would cause recursion because they would be redundant in the same SPF record correct? So and IP I have ending .xxx that exists in the XXXXXXX.com record that ALSO exists in XXXXXXX1.com is redundant in the XXXXXXX.com record because of that include part, right? I should remove it from the record and just rely on the include statement for that IP?
Did it resolve your issue?

If so, repeat the change to your xxx.com record by removing the two mx listings (mx:mail.xxx.com mx:mail2.xxx.com)

If not, let me know what error you're receiving

mrosierAuthor Commented:
Oh I need to give it a chance to replicate to mxtoolbox to run the check. I am just waiting on that. If I have "include:XXXXXXX1.com" in msi-survey.com and "include:XXXXXXX.com" in XXXXXXX1.com, is that going to cause me problems with being recursive or anything? UPDATE: I had been waiting for mxtoolbox to become available as there was some sort of query error til just a minute ago. It is still seeing some of the MX records I removed, so hopefully soon it will fully replicate over.
mrosierAuthor Commented:
Ok I cut it down to "v=spf1 ip4:sanitized ip4:sanitized ip4:sanitized ip4:sanitized ip4:sanitized include:XXXXXXX1 -all". That turned up no void lookups! To dumb things down further, in my SPF record, I just need to list the server IPs that I use to send mail for this domain (since it really is only a few), correct? UPDATE: I removed the MX record items from XXXXXXX1.com and that now has no void lookups either. And finally, the "include:" statement I have in XXXXXXX1.com referring to XXXXXXX.com means that all the SPF record for XXXXXXX1 includes the IPs in XXXXXXX, yes?
no void lookups!

Good, glad to hear it :)

I just need to list the server IPs that I use to send mail for this domain (since it really is only a few), correct?

Correct, "OR" you can use "mx" which will use the DNS mx record for the domain. You can use both mx and ipv4 however you need to make sure that you don't list an IP in ipv4 which is also the IP for a mail server in the dns mx record for the domain.

This is why you were getting the error, you can only list a server (IP) one time.

The listings (including the include) indicate which servers are allowed to send mail for the domain.
mrosierAuthor Commented:
Ok so for example I can have an ip4 address in XXXXXXX1.com that also appears in the SPF record of XXXXXXX.com even though it is in the XXXXXXX1.com include statement?
ip4 address in xxx.com that also appears in the SPF record of xxx.com

Right, I see that.

To be honest I'm not 100% sure about that as I don't use that tag, but I believe you should be okay
Sending test emails would be the only way to tell for sure
mrosierAuthor Commented:
Understood, thanks Ken, I haven't had any problems sending mail honestly, I just was doing a check and say the voids on mxtoolbox. But you helped me get rid of those, so I will consider things good now and close the question! Thanks so much for your time! Just for being safe, what parts of this question should I sanitize before closing?
Any time,

what parts of this question should I sanitize

I'd mask or delete any IP / Domain information
mrosierAuthor Commented:
Thanks Ken, if you could do that for your posts, I will do it for mine and then close the question when I hear back from you!
You should be set on my end
mrosierAuthor Commented:
Excellent, thanks again for your time, I took up plenty of it with this one!
No problem mrosier,

I'm glad you got your issue resolved

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.