Home/Guides/SPF 10 DNS Lookup Limit
SPF Configuration

SPF 10 DNS Lookup Limit

Why SPF has a 10 lookup limit, how it breaks your email, and proven strategies to fix PermError without losing mail delivery.

10 min read
Common Pain Point
Actionable Solutions

The Problem: Too Many DNS Lookups

SPF PermError: Too Many DNS Lookups

When your SPF record exceeds 10 DNS lookups, mail servers return a PermError (permanent error). This can cause legitimate emails to be rejected or marked as spam.

The SPF specification (RFC 7208) limits SPF records to a maximum of 10 DNS lookups to prevent abuse and reduce DNS load. This limit is strictly enforced by all major email providers including Gmail, Outlook, and Yahoo.

What Breaks

  • SPF returns PermError instead of Pass
  • DMARC alignment fails (SPF not passing)
  • Emails go to spam or get rejected
  • Deliverability drops significantly

Why It Happens

  • Each include: counts as 1 lookup
  • Included SPF records also lookup recursively
  • Using multiple ESPs (Google, Microsoft, SendGrid...)
  • MX and A mechanisms trigger additional lookups

How to Count DNS Lookups

Understanding which SPF mechanisms trigger DNS lookups is critical to staying under the 10 lookup limit.

Mechanisms That Count as Lookups

+1
include:_spf.google.com

include: Each include= counts as 1 lookup, PLUS any lookups in the included record

+1
a:mail.example.com

a: Looks up A record (and AAAA if present) = 1 lookup

+1
mx

mx: Looks up MX record = 1 lookup (+ additional lookups for each MX host)

+1
ptr

ptr: Reverse DNS lookup = 1 lookup (DEPRECATED - avoid using)

+1
exists:%{i}.spf.example.com

exists: Checks if a DNS record exists = 1 lookup

Mechanisms That DON'T Count

ip4:192.0.2.0/24

ip4: Static IPv4 address - NO lookup required

ip6:2001:db8::/32

ip6: Static IPv6 address - NO lookup required

~all

all: Match-all qualifier - NO lookup required

Use Our Free Tool

Check your SPF lookup count automatically with our SPF Record Checker:

Example: Counting a Real SPF Record

Let's count the DNS lookups in this common SPF record:

Your SPF Record:
v=spf1 include:_spf.google.com include:spf.protection.outlook.com include:sendgrid.net include:_spf.salesforce.com mx a -all

Lookup Count Breakdown:

include:_spf.google.com

1 lookup + 2 nested includes (gmail.com, googlemail.com)

= 3 lookups
include:spf.protection.outlook.com

1 lookup + 1 nested include

= 2 lookups
include:sendgrid.net

1 lookup (no nested includes)

= 1 lookup
include:_spf.salesforce.com

1 lookup + 2 nested includes

= 3 lookups
mx

MX record lookup for yourdomain.com

= 1 lookup
a

A record lookup for yourdomain.com

= 1 lookup
Total DNS Lookups:11 lookups

OVER THE LIMIT! This SPF record will return PermError

Result: PermError

This SPF record exceeds 10 lookups and will fail SPF checks. You must reduce the lookup count to 10 or below.

5 Strategies to Reduce DNS Lookups

1

Replace include: with ip4:/ip6:

The most effective solution: replace include: statements with direct IP addresses (if IPs are static).

Before (3 lookups):
include:_spf.google.com
After (0 lookups):
ip4:209.85.220.0/19 ip4:64.233.160.0/19 ip4:66.102.0.0/20

💡 Savings: 3 lookups (but requires manual IP updates when Google changes IPs)

Trade-off: You must manually update IPs when your ESP changes them. Only use for static IPs.

2

Remove Unnecessary Mechanisms

Audit your SPF record and remove mechanisms you no longer use.

Remove mx mechanism - unless you send email from your MX servers (most don't)
Remove a mechanism - unless you send from your web server
Remove old ESP includes - if you switched providers and forgot to clean up
Never use ptr - deprecated mechanism that adds unnecessary lookups

Typical Savings: 1-3 lookups by removing unused mechanisms

3

Use SPF Macros for Subdomains

Move third-party senders to subdomains with separate SPF records.

Main Domain SPF (reduced lookups):
v=spf1 include:_spf.google.com -all

Only 3 lookups for primary email

Marketing Subdomain SPF:
marketing.example.com → v=spf1 include:sendgrid.net -all

1 lookup for SendGrid marketing emails

CRM Subdomain SPF:
crm.example.com → v=spf1 include:_spf.salesforce.com -all

3 lookups for Salesforce emails

Result: Main domain stays under 10 lookups. Each subdomain has its own limit.

4

SPF Flattening (Advanced)

Replace include: statements with the IP addresses they resolve to.

SPF flattening services automatically monitor included SPF records and update your record with the resolved IP addresses.

Pros & Cons:
✓ Advantages:
  • • Reduces lookups to near zero
  • • Automated IP updates
  • • Maintains ESP compatibility
✗ Disadvantages:
  • • Requires paid service
  • • Very long SPF records
  • • May hit 255-character limit
5

Consolidate Email Providers

Reduce the number of email service providers you use.

If you're using 5+ different email services (Google Workspace, Microsoft 365, SendGrid, Mailchimp, Salesforce, etc.), consider consolidating:

  • Use one ESP for all marketing/transactional email
  • Configure third-party apps to send via your main ESP (SMTP relay)
  • Migrate legacy systems to modern providers with fewer lookups

Testing Your Optimized SPF Record

After making changes, verify your SPF record is under 10 lookups and still authorizes all legitimate senders.

Verification Checklist:

Check lookup count: Use SPF checker tool to confirm ≤ 10 lookups
Test all email sources: Send test emails from each ESP/service
Monitor DMARC reports: Watch for SPF failures in aggregate reports
Wait 24-48 hours: Allow DNS propagation before declaring success

Related Guides

SPF Record Basics

Learn SPF syntax and mechanisms

Read guide

SPF Include Chains

Managing complex SPF setups

Read guide

SPF Best Practices

Optimize your SPF configuration

Read guide

Fix Your SPF Lookup Issues

Use our free SPF Record Checker to count your DNS lookups and identify optimization opportunities, or let our platform manage SPF across all your domains automatically.

Free SPF Tools

SPF Record Checker

Check DNS lookup count and validate syntax

SPF Record Generator

Create optimized SPF records

DMARC XML Converter

View SPF failures in DMARC reports