Understanding SPF's 10 DNS Lookup Limit
Learn what SPF’s 10 DNS lookup limit means, which mechanisms count toward it, why SPF permerror happens, and how to reduce lookup count safely.
Introduction
SPF records can fail even when they look correct. One common reason is SPF’s 10 DNS lookup limit. During SPF validation, receiving mail servers are allowed to perform only a limited number of DNS lookups.
This matters when a domain uses many email services, includes several third-party providers, or relies on mechanisms such as include, a, mx, exists or redirect. If the lookup limit is exceeded, SPF can return a permanent error instead of passing normally.
Quick answer
SPF has a limit of 10 DNS lookups during evaluation. Mechanisms such as include, a, mx, exists and redirect can count toward this limit. If the record exceeds the limit, SPF may fail with a permerror. Mechanisms such as ip4, ip6 and all usually do not add DNS lookups.
SPF lookup limit
SPF’s 10 DNS lookup limit means that a receiving mail server should not perform more than 10 DNS lookups while evaluating an SPF record.
v=spf1 include:_spf.google.com include:mailservice.example ~all
Each include may trigger DNS lookups. If the total number of lookups becomes too high, SPF validation can fail with a permanent error, often called permerror.
The limit applies during SPF evaluation, not just to the number of words in your SPF record.
Which mechanisms count
Lookup impact
Which SPF mechanisms count toward the 10-lookup limit.
| Mechanism type | Counts toward limit? |
|---|---|
| include | Yes |
| a | Yes |
| mx | Yes |
| exists | Yes |
| redirect | Yes |
| ip4 | Usually no |
| ip6 | Usually no |
| all | Usually no |
include can be especially expensive because the included provider’s SPF record may contain more includes, a, mx or other lookup-generating mechanisms.
A short SPF record can still exceed the limit if the included providers expand into many DNS lookups.
Why permerror happens
SPF permerror means the SPF record could not be evaluated correctly because of a permanent configuration problem.
- More than 10 DNS lookups
- Invalid SPF syntax
- Duplicate SPF records
- Broken include targets
- Redirect problems
- Malformed mechanisms
For this article, focus on lookup-related permerror. If syntax is the issue, use the SPF syntax guide.
Lookup-heavy patterns
Too many email providers
The domain includes several mail platforms, CRMs, marketing tools and transactional email services. Each provider include may add more lookups.
Old providers still included
Unused services remain in SPF after migrations or testing. They increase lookup count and make the record harder to audit.
Using a and mx unnecessarily
The record allows website or MX host IPs even when they do not send outbound mail. These mechanisms add lookups and may authorize the wrong infrastructure.
Nested includes
One include can reference another provider SPF record with more includes. The real lookup count is higher than it appears.
Redirect used without review
redirect sends SPF evaluation to another domain. It can hide lookup count and make troubleshooting harder.
Why this matters
The lookup limit matters because SPF can fail even when the right providers appear to be listed. If the record exceeds 10 DNS lookups, receivers may treat the SPF result as a permanent error. This can hurt email authentication and make deliverability troubleshooting difficult.
A bloated SPF record is often a sign that old sending services should be removed or email sending should be consolidated.
How to check lookup count
Use the SPF Checker to inspect your SPF record and calculate how many DNS lookups it requires.
When checking lookup count, review
These five checks help identify lookup-limit problems.
Direct mechanisms
Look at include, a, mx, exists and redirect in the main SPF record.
Nested includes
Check whether included providers include additional providers.
Old senders
Look for services that no longer send mail for the domain.
Unnecessary a or mx mechanisms
Confirm whether the website or MX hosts really send outbound mail.
Final result
Confirm whether SPF returns pass, fail, softfail, neutral or permerror.
Check SPF lookup count
Use SPF Checker to inspect mechanisms, nested includes and DNS lookup count.
Common problems
SPF exceeds 10 DNS lookups
HighThe SPF record requires too many DNS lookups and may return permerror.
Next step: Remove unused includes and simplify the SPF record.
Too many provider includes
MediumMultiple services are included, and each may expand into more lookups.
Next step: Keep only providers that actively send mail for the domain.
Old email platforms remain in SPF
MediumOld CRMs, marketing tools or mail providers still appear in the record.
Next step: Remove them after confirming they no longer send mail.
a mechanism adds unnecessary lookup
MediumThe domain’s website IP is allowed to send mail even though it may not send outbound email.
Next step: Remove a unless the website server really sends mail.
mx mechanism adds unnecessary lookup
MediumThe domain’s MX hosts are allowed to send mail, but this may not match the real sending setup.
Next step: Remove mx unless the MX hosts send outbound mail.
Nested include causes hidden lookups
MediumAn included provider’s SPF record expands into additional includes or lookups.
Next step: Review expanded SPF results and ask the provider for a recommended record if needed.
SPF flattening becomes stale
MediumFlattened SPF replaces includes with IPs, but provider IPs can change.
Next step: Avoid manual flattening unless you have a process to keep it updated.
How to reduce lookups
-
Step 1: Run an SPF lookup check
Use SPF Checker to see the current lookup count and identify which mechanisms consume lookups.
-
Step 2: Remove unused providers
Delete includes for services that no longer send mail for your domain.
-
Step 3: Avoid unnecessary a and mx
Do not use a or mx unless those hosts really send outbound email.
-
Step 4: Consolidate sending services
If possible, reduce the number of platforms sending mail for the domain.
-
Step 5: Use provider-recommended SPF values
Some providers offer optimized SPF records. Use official documentation instead of copying random examples.
-
Step 6: Be careful with SPF flattening
Flattening can reduce lookups by replacing includes with IP addresses, but it can become outdated if provider IP ranges change.
-
Step 7: Re-check after changes
Run SPF Checker again to confirm the record is valid and within the 10 DNS lookup limit.
SPF flattening
SPF flattening means replacing lookup-generating mechanisms, usually includes, with the IP addresses they currently resolve to.
v=spf1 include:provider.example ~all
v=spf1 ip4:192.0.2.10 ip4:192.0.2.11 ~all
Flattening can reduce DNS lookups, but it has a risk: provider IP addresses may change. If the flattened record is not updated, legitimate email may start failing SPF.
Use flattening only if you understand the maintenance requirements or use a managed service that updates it automatically.
What not to do when reducing lookups:
- Do not delete active providers just to reduce lookup count
- Do not replace includes with IPs unless you can keep them updated
- Do not use +all to avoid SPF failures
- Do not publish multiple SPF records
- Do not guess provider IP ranges
- Do not ignore DKIM and DMARC
The goal is not only fewer lookups. The goal is an accurate SPF record that matches real senders.
Lookup examples
v=spf1 include:_spf.google.com include:mailservice.example mx ~all
Why it may be risky: include:_spf.google.com can add lookups; include:mailservice.example can add lookups; mx can add lookups; nested includes may increase the total.
v=spf1 include:_spf.google.com ip4:192.0.2.10 ~all
Why it may be cleaner: one provider include, one fixed IP, no unnecessary a or mx mechanisms.
dig example.com TXT
dig +short example.com TXT
These examples are illustrative. Your SPF record must match your real sending services.
Frequently asked questions
What is SPF’s 10 DNS lookup limit?
It is the maximum number of DNS lookups allowed during SPF evaluation. If the limit is exceeded, SPF can fail with permerror.
Which SPF mechanisms count toward the limit?
include, a, mx, exists and redirect count toward the limit. ip4, ip6 and all usually do not.
Can a short SPF record exceed the limit?
Yes. A short record with several includes can exceed the limit if those includes expand into many nested lookups.
What happens if SPF exceeds the limit?
SPF may return permerror, meaning the record could not be evaluated correctly.
Should I use SPF flattening?
Only carefully. Flattening can reduce lookups, but it can become outdated if provider IP addresses change.
How do I reduce SPF lookups safely?
Remove unused providers, avoid unnecessary a/mx mechanisms, consolidate senders and use provider-recommended SPF values.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Email Authentication guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!