Troubleshooting Guides

Too Many DNS Lookups in SPF: How to Reduce Them

Reduce SPF DNS lookups and fix SPF permerror by removing unused includes, avoiding ptr, simplifying mx/a mechanisms and staying under the 10 lookup limit.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 8 min read Intermediate

Introduction

SPF records can fail even when they look short. One common reason is the 10 DNS lookup limit defined by SPF. During mail authentication, receiving servers count DNS lookups triggered by mechanisms such as include, a, mx, exists, redirect and ptr.

Domains with multiple email providers, nested includes, unnecessary a or mx mechanisms, or legacy ptr entries can exceed the limit and return permerror. Reducing lookups requires auditing the real expanded record, removing unused providers, consolidating senders, and using flattening only when safer options are not enough.

Quick answer

Quick answer

To reduce SPF DNS lookups, remove unused includes, avoid unnecessary a, mx and ptr mechanisms, consolidate email providers where possible, replace nested includes with provider-recommended values, and use flattening only with a plan to keep IP lists current. Verify lookup count with SPF Checker after every change.

Reducing SPF DNS lookups

The SPF 10 lookup limit applies during evaluation, not to the visible length of the TXT record. A compact record with several includes can still exceed the limit if those includes expand into more lookups.

Mechanisms that commonly increase lookup count:

  • include for each email provider or SaaS sender
  • nested includes inside provider SPF records
  • a when the domain or subdomain has A records
  • mx when MX hostnames resolve through DNS
  • exists for dynamic lookup patterns
  • redirect when evaluation moves to another domain
  • ptr for reverse DNS lookups
  • old providers left in SPF after migration
  • duplicate or overlapping provider entries
  • unnecessary +all or overly broad mechanisms
Lookup-heavy SPF example
v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org include:spf.protection.outlook.com a mx ptr ~all

Avoid ptr in SPF unless you have a specific legacy requirement. It adds lookups and is unreliable for modern deliverability.

Start by removing providers you no longer use. That is often the safest way to cut lookup count.

Why this matters

Why this matters

When SPF exceeds 10 DNS lookups, receivers may return permerror instead of pass or fail. That weakens authentication, complicates DMARC alignment and makes deliverability harder to diagnose. A bloated SPF record is often a sign that old senders were added but never removed.

Reducing lookups improves SPF reliability and makes it easier to maintain email authentication as providers change.

How to check SPF lookup count

Do not estimate lookup count from the TXT record alone. Use an SPF evaluation tool that expands includes and counts DNS lookups.

  1. Current SPF TXT — Retrieve the live SPF record from DNS.
  2. Lookup count — Use SPF Checker to count total DNS lookups.
  3. Provider list — Identify every service authorized to send for the domain.
  4. Nested includes — Review whether included providers add more includes or a/mx lookups.
  5. Legacy mechanisms — Check for ptr, exists or redirect usage.
  6. Duplicate senders — Remove providers no longer in use.
  7. Record count — Confirm there is only one SPF TXT record.
  8. Retest after edits — Recheck lookup count and send a test message.

Count SPF DNS lookups

Use SPF Checker to inspect mechanisms, nested includes and total DNS lookup count.

Run SPF Check →

Common problems

Too many provider includes

High

Each email platform adds at least one include and may add nested lookups.

Next step: Remove unused providers and keep only active senders.

Nested includes exceed limit

High

Included provider records contain more includes or lookup mechanisms.

Next step: Use provider-recommended SPF values and avoid stacking unnecessary services.

Legacy ptr mechanism present

Medium

ptr performs reverse DNS lookups and is discouraged in modern SPF.

Next step: Remove ptr and authorize senders with include or ip4/ip6 instead.

Unnecessary a or mx mechanisms

Medium

The record authorizes website or MX hosts that do not send mail.

Next step: Remove a and mx unless those hosts legitimately send outbound email.

Old provider still included

Medium

A migrated or retired service remains in SPF.

Next step: Audit sending sources and delete obsolete includes.

Multiple SPF TXT records

High

More than one SPF record invalidates SPF evaluation.

Next step: Merge into one SPF record with a single v=spf1 string.

Flattening used without maintenance

Medium

Hard-coded IP ranges no longer match provider infrastructure.

Next step: Update flattened IPs regularly or use a managed flattening service.

redirect hides complexity

Low

redirect moves evaluation to another domain and can obscure lookup count.

Next step: Inspect the target domain SPF record and count lookups there.

Marketing and transactional senders mixed

Medium

Many SaaS tools each add their own include.

Next step: Consolidate through fewer SMTP providers where possible.

SPF syntax error plus lookup bloat

High

Malformed mechanisms can combine with lookup-limit failure.

Next step: Fix syntax first, then reduce lookup count and retest.

How to reduce SPF lookups

  1. Step 1: Audit active senders

    List every service that sends mail for the domain, including CRM, forms, newsletters and transactional providers.

  2. Step 2: Measure lookup count

    Use SPF Checker to count current DNS lookups before making changes.

  3. Step 3: Remove unused includes

    Delete providers that no longer send for the domain.

  4. Step 4: Remove ptr, a and mx unless required

    Keep only mechanisms needed for real outbound sending infrastructure.

  5. Step 5: Consolidate providers

    Route more mail through fewer authenticated SMTP services where practical.

  6. Step 6: Use provider-recommended SPF

    Replace custom nested combinations with the official SPF value from each provider.

  7. Step 7: Consider flattening carefully

    Use flattening only if safer cleanup is not enough and you can maintain current IP ranges.

  8. Step 8: Retest lookup count and mail flow

    Confirm SPF lookup count is 10 or fewer, then send test messages and review authentication headers.

Examples

SPF lookup reduction examples
Example 1: Too many includes

Before:
v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org include:spf.zoho.com include:emsd1.com ~all

SPF Checker:
12 DNS lookups  permerror

After:
v=spf1 include:_spf.google.com include:sendgrid.net ~all

SPF Checker:
4 DNS lookups  valid

Example 2: Remove ptr and mx

Before:
v=spf1 a mx ptr include:example-hosting.com ~all

Problem:
ptr and mx add unnecessary lookups.

After:
v=spf1 include:example-hosting.com ~all

Example 3: Flattening with caution

Before:
v=spf1 include:provider-a.com include:provider-b.com include:provider-c.com ~all

Flattened option:
v=spf1 ip4:203.0.113.10 ip4:203.0.113.11 include:provider-a.com ~all

Warning:
Update flattened IPs when providers change infrastructure.

Useful checks:
dig +short example.com TXT | grep spf
Use SPF Checker to view expanded lookup count

Flattening can reduce lookups but may break mail if provider IP ranges change. Prefer removing unused includes and consolidating providers first.

Frequently asked questions

What is the SPF DNS lookup limit?

SPF evaluation allows a maximum of 10 DNS lookups. Exceeding the limit can cause permerror and authentication failure.

Which SPF mechanisms count toward the limit?

include, a, mx, exists and redirect count toward the limit. ip4, ip6 and all usually do not.

Does ptr count toward the SPF lookup limit?

Yes. ptr performs reverse DNS lookups and counts toward the limit. It is also discouraged in modern SPF design.

What is SPF flattening?

Flattening replaces nested includes with direct ip4/ip6 entries to reduce lookup count, often through a third-party service or manual maintenance.

Is flattening always safe?

No. Flattened IP lists can become outdated when providers change infrastructure, which may cause legitimate mail to fail SPF.

Can one include cause more than one lookup?

Yes. An included provider SPF record may contain more includes, a, mx or other lookup-generating mechanisms.

How do I know if lookup count is the problem?

Use SPF Checker or an SPF evaluation tool that reports lookup count and permerror caused by too many lookups.

Use these free tools to verify your configuration after applying changes.

Browse all Troubleshooting guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.