Understanding SPF's 10 DNS Lookup Limit

Learn what SPF’s 10 DNS lookup limit means, which mechanisms count toward it, why SPF permerror happens, and how to reduce lookup count safely.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 7 min read Beginner

Introduction

SPF records can fail even when they look correct. One common reason is SPF’s 10 DNS lookup limit. During SPF validation, receiving mail servers are allowed to perform only a limited number of DNS lookups.

This matters when a domain uses many email services, includes several third-party providers, or relies on mechanisms such as include, a, mx, exists or redirect. If the lookup limit is exceeded, SPF can return a permanent error instead of passing normally.

Quick answer

Quick answer

SPF has a limit of 10 DNS lookups during evaluation. Mechanisms such as include, a, mx, exists and redirect can count toward this limit. If the record exceeds the limit, SPF may fail with a permerror. Mechanisms such as ip4, ip6 and all usually do not add DNS lookups.

SPF lookup limit

SPF’s 10 DNS lookup limit means that a receiving mail server should not perform more than 10 DNS lookups while evaluating an SPF record.

Example
v=spf1 include:_spf.google.com include:mailservice.example ~all

Each include may trigger DNS lookups. If the total number of lookups becomes too high, SPF validation can fail with a permanent error, often called permerror.

The limit applies during SPF evaluation, not just to the number of words in your SPF record.

Which mechanisms count

Lookup impact

Which SPF mechanisms count toward the 10-lookup limit.

Mechanism type Counts toward limit?
include Yes
a Yes
mx Yes
exists Yes
redirect Yes
ip4 Usually no
ip6 Usually no
all Usually no

include can be especially expensive because the included provider’s SPF record may contain more includes, a, mx or other lookup-generating mechanisms.

A short SPF record can still exceed the limit if the included providers expand into many DNS lookups.

Why permerror happens

SPF permerror means the SPF record could not be evaluated correctly because of a permanent configuration problem.

  • More than 10 DNS lookups
  • Invalid SPF syntax
  • Duplicate SPF records
  • Broken include targets
  • Redirect problems
  • Malformed mechanisms

For this article, focus on lookup-related permerror. If syntax is the issue, use the SPF syntax guide.

Lookup-heavy patterns

Too many email providers

The domain includes several mail platforms, CRMs, marketing tools and transactional email services. Each provider include may add more lookups.

Old providers still included

Unused services remain in SPF after migrations or testing. They increase lookup count and make the record harder to audit.

Using a and mx unnecessarily

The record allows website or MX host IPs even when they do not send outbound mail. These mechanisms add lookups and may authorize the wrong infrastructure.

Nested includes

One include can reference another provider SPF record with more includes. The real lookup count is higher than it appears.

Redirect used without review

redirect sends SPF evaluation to another domain. It can hide lookup count and make troubleshooting harder.

Why this matters

Why this matters

The lookup limit matters because SPF can fail even when the right providers appear to be listed. If the record exceeds 10 DNS lookups, receivers may treat the SPF result as a permanent error. This can hurt email authentication and make deliverability troubleshooting difficult.

A bloated SPF record is often a sign that old sending services should be removed or email sending should be consolidated.

How to check lookup count

Use the SPF Checker to inspect your SPF record and calculate how many DNS lookups it requires.

When checking lookup count, review

These five checks help identify lookup-limit problems.

Direct mechanisms

Look at include, a, mx, exists and redirect in the main SPF record.

Nested includes

Check whether included providers include additional providers.

Old senders

Look for services that no longer send mail for the domain.

Unnecessary a or mx mechanisms

Confirm whether the website or MX hosts really send outbound mail.

Final result

Confirm whether SPF returns pass, fail, softfail, neutral or permerror.

Check SPF lookup count

Use SPF Checker to inspect mechanisms, nested includes and DNS lookup count.

Run SPF Check →

Common problems

SPF exceeds 10 DNS lookups

High

The SPF record requires too many DNS lookups and may return permerror.

Next step: Remove unused includes and simplify the SPF record.

Too many provider includes

Medium

Multiple services are included, and each may expand into more lookups.

Next step: Keep only providers that actively send mail for the domain.

Old email platforms remain in SPF

Medium

Old CRMs, marketing tools or mail providers still appear in the record.

Next step: Remove them after confirming they no longer send mail.

a mechanism adds unnecessary lookup

Medium

The domain’s website IP is allowed to send mail even though it may not send outbound email.

Next step: Remove a unless the website server really sends mail.

mx mechanism adds unnecessary lookup

Medium

The domain’s MX hosts are allowed to send mail, but this may not match the real sending setup.

Next step: Remove mx unless the MX hosts send outbound mail.

Nested include causes hidden lookups

Medium

An included provider’s SPF record expands into additional includes or lookups.

Next step: Review expanded SPF results and ask the provider for a recommended record if needed.

SPF flattening becomes stale

Medium

Flattened SPF replaces includes with IPs, but provider IPs can change.

Next step: Avoid manual flattening unless you have a process to keep it updated.

How to reduce lookups

  1. Step 1: Run an SPF lookup check

    Use SPF Checker to see the current lookup count and identify which mechanisms consume lookups.

  2. Step 2: Remove unused providers

    Delete includes for services that no longer send mail for your domain.

  3. Step 3: Avoid unnecessary a and mx

    Do not use a or mx unless those hosts really send outbound email.

  4. Step 4: Consolidate sending services

    If possible, reduce the number of platforms sending mail for the domain.

  5. Step 5: Use provider-recommended SPF values

    Some providers offer optimized SPF records. Use official documentation instead of copying random examples.

  6. Step 6: Be careful with SPF flattening

    Flattening can reduce lookups by replacing includes with IP addresses, but it can become outdated if provider IP ranges change.

  7. Step 7: Re-check after changes

    Run SPF Checker again to confirm the record is valid and within the 10 DNS lookup limit.

SPF flattening

SPF flattening means replacing lookup-generating mechanisms, usually includes, with the IP addresses they currently resolve to.

Before
v=spf1 include:provider.example ~all
After flattening
v=spf1 ip4:192.0.2.10 ip4:192.0.2.11 ~all

Flattening can reduce DNS lookups, but it has a risk: provider IP addresses may change. If the flattened record is not updated, legitimate email may start failing SPF.

Use flattening only if you understand the maintenance requirements or use a managed service that updates it automatically.

What not to do when reducing lookups:

  • Do not delete active providers just to reduce lookup count
  • Do not replace includes with IPs unless you can keep them updated
  • Do not use +all to avoid SPF failures
  • Do not publish multiple SPF records
  • Do not guess provider IP ranges
  • Do not ignore DKIM and DMARC

The goal is not only fewer lookups. The goal is an accurate SPF record that matches real senders.

Lookup examples

Lookup-generating example
v=spf1 include:_spf.google.com include:mailservice.example mx ~all

Why it may be risky: include:_spf.google.com can add lookups; include:mailservice.example can add lookups; mx can add lookups; nested includes may increase the total.

Lower-lookup example
v=spf1 include:_spf.google.com ip4:192.0.2.10 ~all

Why it may be cleaner: one provider include, one fixed IP, no unnecessary a or mx mechanisms.

Check commands
dig example.com TXT
dig +short example.com TXT

These examples are illustrative. Your SPF record must match your real sending services.

Frequently asked questions

What is SPF’s 10 DNS lookup limit?

It is the maximum number of DNS lookups allowed during SPF evaluation. If the limit is exceeded, SPF can fail with permerror.

Which SPF mechanisms count toward the limit?

include, a, mx, exists and redirect count toward the limit. ip4, ip6 and all usually do not.

Can a short SPF record exceed the limit?

Yes. A short record with several includes can exceed the limit if those includes expand into many nested lookups.

What happens if SPF exceeds the limit?

SPF may return permerror, meaning the record could not be evaluated correctly.

Should I use SPF flattening?

Only carefully. Flattening can reduce lookups, but it can become outdated if provider IP addresses change.

How do I reduce SPF lookups safely?

Remove unused providers, avoid unnecessary a/mx mechanisms, consolidate senders and use provider-recommended SPF values.

Use these free tools to verify your configuration after applying changes.

Browse all Email Authentication guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.