What’s the 255-character limit and how to handle it?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You've just added your fifth email service to your SPF record and suddenly your DNS provider is warning you about string length. That 255-character limit isn't a bug. It's a hard constraint baked into the DNS protocol itself.

Here's the short version of why it exists. DNS uses a single byte to encode the length of each string inside a TXT record. One byte maxes out at 255. So no single string in a TXT record can be longer than 255 characters, full stop.

The good news is that DNS lets you chain multiple strings together inside one TXT record, and receiving mail servers read them as one continuous value. So an SPF record that's 400 characters long gets stored as two strings sitting side by side, and the mail server stitches them together before evaluating the policy.

It looks like this in your DNS zone:

"v=spf1 include:_spf.google.com include:spf.protection.outlook.com" " include:sendgrid.net ~all"

Each quoted block is a separate string. Together they form one valid SPF record. Most TXT record editors at DNS providers handle this splitting automatically when you paste in a long value. You don't usually need to do it by hand.

The one place you almost always deal with this manually is DKIM. A 2048-bit DKIM public key is around 550 characters, which means it always needs splitting. Your ESP will usually give you the pre-split version to paste in, so check their DNS setup instructions before doing anything manual.

How to verify your record was split correctly

This is the part most guides skip. You've saved the record, but how do you know the concatenation is actually working? Run a DNS lookup and look for multiple quoted strings. If you see two (or more) strings that flow logically from one to the next, the split is correct. If you see something like a mechanism cut in half mid-word, that's a problem.

A few quick checks worth running:

  • Use our free SPF Checker to see how your full record parses after the strings are joined.
  • Use a terminal and run dig TXT yourdomain.com to see the raw record exactly as DNS returns it, quoted strings and all.
  • If you split a DKIM key manually, make sure the split happens between base64 characters, not inside one. Any whitespace or quote placement inside a base64 character will break the key entirely.

One thing to keep in mind: the 255-character rule is per string. The overall TXT record can hold multiple strings with no hard total-length limit (in practice, most DNS providers cap the whole record at around 512 bytes in a UDP response, but that's a separate constraint). If your SPF record is getting very long, that's often a sign you have too many includes and flattening is worth exploring.

Still not sure if your split looks right? Our SOS hotline is free, and we're happy to take a look with you.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Paste your details above and get a specific answer for your setup

I manage email authentication for my domain and I'm hitting the 255-character limit in my TXT records. Based on my situation, tell me: 1. Whether my SPF record needs manual splitting or if my DNS provider should handle it 2. How to verify the split was done correctly and the full record parses as intended 3. Whether DKIM key splitting applies to my setup and what to watch out for 4. Signs that my record split may be broken and how to diagnose them My domain: your domain DNS provider: e.g. Cloudflare, GoDaddy, Route 53 Record type affected: SPF / DKIM / both How I made the change: provider UI / manual zone edit / API

Edit the yellow boxes, then send to the AI of your choice.