SPF Too Many DNS Lookups: How to Fix the 10 Lookup Limit

Email Authentication

SPF records have a hard limit: 10 DNS lookups. Exceed this, and SPF returns permerror — a permanent failure that breaks authentication for all your email. As organizations add more email services, hitting this limit becomes increasingly common.

Why the 10 Lookup Limit Exists

The limit prevents SPF checks from being used in DNS amplification attacks and protects mail servers from excessive DNS load. When evaluating an SPF record, the receiving server must resolve each include, a, mx, and redirect mechanism — potentially chasing nested includes through multiple domains.

Without a limit, a malicious SPF record could trigger thousands of DNS queries per email received.

What Counts as a Lookup

These mechanisms count toward the limit:

These do NOT count:

How Lookups Accumulate

Each include is at least 1 lookup, but included records can have their own includes:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Lookup breakdown:

1. include:_spf.google.com → 1 lookup
   • Resolves to record with include:_netblocks.google.com → 1 lookup
   • And include:_netblocks2.google.com → 1 lookup
   • And include:_netblocks3.google.com → 1 lookup
2. include:sendgrid.net → 1 lookup
   • May have its own includes...

Total: 5+ lookups from just two includes.

Diagnosing Lookup Issues

Check Your Current Count

Use SPF Record Check to see:

• Total DNS lookups
• Breakdown by mechanism
• Nested lookup chains
• Whether you're over the limit

Signs You've Exceeded the Limit

SPF permerror in headers:

Authentication-Results: spf=permerror (too many DNS lookups)

Intermittent SPF failures: Some servers check all lookups, others stop at 10. This causes inconsistent results.

DMARC failures: With SPF broken, DMARC relies entirely on DKIM. If DKIM also fails, DMARC fails.

Strategies to Reduce Lookups

1. Remove Unused Includes

Audit your SPF record. Are all these services still in use?

# Before: Services no longer used
v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net include:mail.zendesk.com include:amazonses.com ~all

# After: Removed unused services
v=spf1 include:_spf.google.com include:sendgrid.net ~all

2. Flatten Your SPF Record

Replace include statements with the IP addresses they resolve to:

# Before (uses lookups):
v=spf1 include:sendgrid.net ~all

# After (flattened, no lookups for these IPs):
v=spf1 ip4:167.89.0.0/17 ip4:208.117.48.0/20 ip4:50.31.32.0/19 ~all

Warning: Flattened records don't auto-update when services change their IPs. You need to monitor and update manually, or use automated flattening.

3. Use a Flattening Service

Several services automatically flatten and maintain SPF records:

• They resolve includes to IP addresses
• They monitor for IP changes
• They update your record automatically

This trades a DNS lookup complexity for a service dependency.

4. Consolidate Email Services

Do you really need 5 different email senders?

• Marketing emails → one platform
• Transactional emails → maybe the same platform
• Support emails → consider same platform

Fewer services = fewer SPF includes.

5. Use Subdomains

Move different email types to subdomains with their own SPF records:

# Main domain
company.com: v=spf1 include:_spf.google.com ~all

# Marketing subdomain
mail.company.com: v=spf1 include:servers.mcsv.net ~all

# Transactional subdomain
notify.company.com: v=spf1 include:sendgrid.net ~all

Each subdomain has its own 10-lookup limit. Send marketing from @mail.company.com, transactional from @notify.company.com.

6. Replace a/mx with ip4/ip6

If you're using a or mx mechanisms, replace them with actual IPs:

# Before (2+ lookups):
v=spf1 mx a include:sendgrid.net ~all

# After (0 lookups for the IPs):
v=spf1 ip4:192.0.2.1 ip4:192.0.2.2 include:sendgrid.net ~all

SPF Record Length Limits

Beyond lookups, SPF records have string length limits:

• Single TXT string: 255 characters max
• Total record: 512 bytes recommended, larger may fail
• Multiple strings: Can be concatenated, but adds complexity

Long flattened records may need to be split:

v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.0/24 " "ip4:203.0.113.0/24 ~all

DNS clients concatenate quoted strings automatically.

Monitoring for Changes

Flattened SPF records break when:

• Email services add or change IP addresses
• Services merge or migrate infrastructure
• You forget what IPs belong to which service

Regular monitoring catches these issues:

• Track which IPs map to which services
• Get alerts when service IPs change
• Re-flatten when needed

Common Service Lookup Counts

Counts may change as services update their infrastructure.

Example: Fixing an Over-Limit Record

Problem record (12+ lookups):

v=spf1 include:_spf.google.com include:spf.protection.outlook.com include:sendgrid.net include:servers.mcsv.net include:mail.zendesk.com include:amazonses.com ~all

Solution 1: Remove unused services Audit reveals Mailchimp and Zendesk aren't used anymore:

v=spf1 include:_spf.google.com include:spf.protection.outlook.com include:sendgrid.net include:amazonses.com ~all

Solution 2: Use subdomains Marketing from marketing.company.com, transactional from notify.company.com:

# company.com (corporate email only)
v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all

# marketing.company.com
v=spf1 include:servers.mcsv.net ~all

# notify.company.com
v=spf1 include:sendgrid.net include:amazonses.com ~all

Solution 3: Partial flattening Flatten the less-volatile services:

v=spf1 include:_spf.google.com ip4:149.72.0.0/16 ip4:168.245.0.0/16 include:amazonses.com ~all

Related Articles

---

Monitor SPF Lookup Count

The Email Deliverability Suite monitors your SPF record, including DNS lookup count, plus DKIM, DMARC, MX records and blacklist status daily. Get alerts when your SPF approaches or exceeds limits.