What’s the 255-character limit and how to handle it?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've just added your fifth email service to your SPF record and suddenly your DNS provider is warning you about string length. That 255-character limit isn't a bug. It's a hard constraint baked into the DNS protocol itself.
Here's the short version of why it exists. DNS uses a single byte to encode the length of each string inside a TXT record. One byte maxes out at 255. So no single string in a TXT record can be longer than 255 characters, full stop.
The good news is that DNS lets you chain multiple strings together inside one TXT record, and receiving mail servers read them as one continuous value. So an SPF record that's 400 characters long gets stored as two strings sitting side by side, and the mail server stitches them together before evaluating the policy.
It looks like this in your DNS zone:
"v=spf1 include:_spf.google.com include:spf.protection.outlook.com" " include:sendgrid.net ~all"
Each quoted block is a separate string. Together they form one valid SPF record. Most TXT record editors at DNS providers handle this splitting automatically when you paste in a long value. You don't usually need to do it by hand.
The one place you almost always deal with this manually is DKIM. A 2048-bit DKIM public key is around 550 characters, which means it always needs splitting. Your ESP will usually give you the pre-split version to paste in, so check their DNS setup instructions before doing anything manual.
How to verify your record was split correctly
This is the part most guides skip. You've saved the record, but how do you know the concatenation is actually working? Run a DNS lookup and look for multiple quoted strings. If you see two (or more) strings that flow logically from one to the next, the split is correct. If you see something like a mechanism cut in half mid-word, that's a problem.
A few quick checks worth running:
- Use our free SPF Checker to see how your full record parses after the strings are joined.
- Use a terminal and run
dig TXT yourdomain.comto see the raw record exactly as DNS returns it, quoted strings and all. - If you split a DKIM key manually, make sure the split happens between base64 characters, not inside one. Any whitespace or quote placement inside a base64 character will break the key entirely.
One thing to keep in mind: the 255-character rule is per string. The overall TXT record can hold multiple strings with no hard total-length limit (in practice, most DNS providers cap the whole record at around 512 bytes in a UDP response, but that's a separate constraint). If your SPF record is getting very long, that's often a sign you have too many includes and flattening is worth exploring.
Still not sure if your split looks right? Our SOS hotline is free, and we're happy to take a look with you.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.