Too Many DNS Lookups in SPF: How to Reduce Them
Reduce SPF DNS lookups and fix SPF permerror by removing unused includes, avoiding ptr, simplifying mx/a mechanisms and staying under the 10 lookup limit.
Introduction
SPF records can fail even when they look short. One common reason is the 10 DNS lookup limit defined by SPF. During mail authentication, receiving servers count DNS lookups triggered by mechanisms such as include, a, mx, exists, redirect and ptr.
Domains with multiple email providers, nested includes, unnecessary a or mx mechanisms, or legacy ptr entries can exceed the limit and return permerror. Reducing lookups requires auditing the real expanded record, removing unused providers, consolidating senders, and using flattening only when safer options are not enough.
Quick answer
To reduce SPF DNS lookups, remove unused includes, avoid unnecessary a, mx and ptr mechanisms, consolidate email providers where possible, replace nested includes with provider-recommended values, and use flattening only with a plan to keep IP lists current. Verify lookup count with SPF Checker after every change.
Reducing SPF DNS lookups
The SPF 10 lookup limit applies during evaluation, not to the visible length of the TXT record. A compact record with several includes can still exceed the limit if those includes expand into more lookups.
Mechanisms that commonly increase lookup count:
- include for each email provider or SaaS sender
- nested includes inside provider SPF records
- a when the domain or subdomain has A records
- mx when MX hostnames resolve through DNS
- exists for dynamic lookup patterns
- redirect when evaluation moves to another domain
- ptr for reverse DNS lookups
- old providers left in SPF after migration
- duplicate or overlapping provider entries
- unnecessary +all or overly broad mechanisms
v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org include:spf.protection.outlook.com a mx ptr ~all
Avoid ptr in SPF unless you have a specific legacy requirement. It adds lookups and is unreliable for modern deliverability.
Start by removing providers you no longer use. That is often the safest way to cut lookup count.
Why this matters
When SPF exceeds 10 DNS lookups, receivers may return permerror instead of pass or fail. That weakens authentication, complicates DMARC alignment and makes deliverability harder to diagnose. A bloated SPF record is often a sign that old senders were added but never removed.
Reducing lookups improves SPF reliability and makes it easier to maintain email authentication as providers change.
How to check SPF lookup count
Do not estimate lookup count from the TXT record alone. Use an SPF evaluation tool that expands includes and counts DNS lookups.
- Current SPF TXT — Retrieve the live SPF record from DNS.
- Lookup count — Use SPF Checker to count total DNS lookups.
- Provider list — Identify every service authorized to send for the domain.
- Nested includes — Review whether included providers add more includes or a/mx lookups.
- Legacy mechanisms — Check for ptr, exists or redirect usage.
- Duplicate senders — Remove providers no longer in use.
- Record count — Confirm there is only one SPF TXT record.
- Retest after edits — Recheck lookup count and send a test message.
Count SPF DNS lookups
Use SPF Checker to inspect mechanisms, nested includes and total DNS lookup count.
Common problems
Too many provider includes
HighEach email platform adds at least one include and may add nested lookups.
Next step: Remove unused providers and keep only active senders.
Nested includes exceed limit
HighIncluded provider records contain more includes or lookup mechanisms.
Next step: Use provider-recommended SPF values and avoid stacking unnecessary services.
Legacy ptr mechanism present
Mediumptr performs reverse DNS lookups and is discouraged in modern SPF.
Next step: Remove ptr and authorize senders with include or ip4/ip6 instead.
Unnecessary a or mx mechanisms
MediumThe record authorizes website or MX hosts that do not send mail.
Next step: Remove a and mx unless those hosts legitimately send outbound email.
Old provider still included
MediumA migrated or retired service remains in SPF.
Next step: Audit sending sources and delete obsolete includes.
Multiple SPF TXT records
HighMore than one SPF record invalidates SPF evaluation.
Next step: Merge into one SPF record with a single v=spf1 string.
Flattening used without maintenance
MediumHard-coded IP ranges no longer match provider infrastructure.
Next step: Update flattened IPs regularly or use a managed flattening service.
redirect hides complexity
Lowredirect moves evaluation to another domain and can obscure lookup count.
Next step: Inspect the target domain SPF record and count lookups there.
Marketing and transactional senders mixed
MediumMany SaaS tools each add their own include.
Next step: Consolidate through fewer SMTP providers where possible.
SPF syntax error plus lookup bloat
HighMalformed mechanisms can combine with lookup-limit failure.
Next step: Fix syntax first, then reduce lookup count and retest.
How to reduce SPF lookups
-
Step 1: Audit active senders
List every service that sends mail for the domain, including CRM, forms, newsletters and transactional providers.
-
Step 2: Measure lookup count
Use SPF Checker to count current DNS lookups before making changes.
-
Step 3: Remove unused includes
Delete providers that no longer send for the domain.
-
Step 4: Remove ptr, a and mx unless required
Keep only mechanisms needed for real outbound sending infrastructure.
-
Step 5: Consolidate providers
Route more mail through fewer authenticated SMTP services where practical.
-
Step 6: Use provider-recommended SPF
Replace custom nested combinations with the official SPF value from each provider.
-
Step 7: Consider flattening carefully
Use flattening only if safer cleanup is not enough and you can maintain current IP ranges.
-
Step 8: Retest lookup count and mail flow
Confirm SPF lookup count is 10 or fewer, then send test messages and review authentication headers.
Examples
Example 1: Too many includes
Before:
v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org include:spf.zoho.com include:emsd1.com ~all
SPF Checker:
12 DNS lookups → permerror
After:
v=spf1 include:_spf.google.com include:sendgrid.net ~all
SPF Checker:
4 DNS lookups → valid
Example 2: Remove ptr and mx
Before:
v=spf1 a mx ptr include:example-hosting.com ~all
Problem:
ptr and mx add unnecessary lookups.
After:
v=spf1 include:example-hosting.com ~all
Example 3: Flattening with caution
Before:
v=spf1 include:provider-a.com include:provider-b.com include:provider-c.com ~all
Flattened option:
v=spf1 ip4:203.0.113.10 ip4:203.0.113.11 include:provider-a.com ~all
Warning:
Update flattened IPs when providers change infrastructure.
Useful checks:
dig +short example.com TXT | grep spf
Use SPF Checker to view expanded lookup count
Flattening can reduce lookups but may break mail if provider IP ranges change. Prefer removing unused includes and consolidating providers first.
Frequently asked questions
What is the SPF DNS lookup limit?
SPF evaluation allows a maximum of 10 DNS lookups. Exceeding the limit can cause permerror and authentication failure.
Which SPF mechanisms count toward the limit?
include, a, mx, exists and redirect count toward the limit. ip4, ip6 and all usually do not.
Does ptr count toward the SPF lookup limit?
Yes. ptr performs reverse DNS lookups and counts toward the limit. It is also discouraged in modern SPF design.
What is SPF flattening?
Flattening replaces nested includes with direct ip4/ip6 entries to reduce lookup count, often through a third-party service or manual maintenance.
Is flattening always safe?
No. Flattened IP lists can become outdated when providers change infrastructure, which may cause legitimate mail to fail SPF.
Can one include cause more than one lookup?
Yes. An included provider SPF record may contain more includes, a, mx or other lookup-generating mechanisms.
How do I know if lookup count is the problem?
Use SPF Checker or an SPF evaluation tool that reports lookup count and permerror caused by too many lookups.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Troubleshooting guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!