ScanMyDomain
← Back to blog

SPF Record Exceeds 10 DNS Lookups: How to Fix It

If you've ever wondered why some of your legitimate emails end up in spam, your SPF record might be the culprit. Specifically, it might be exceeding the 10 DNS lookup limit — a hard cap defined in RFC 7208 that most domain owners don't know about.

What is the SPF lookup limit?

SPF (Sender Policy Framework) is a DNS record that tells receiving mail servers which IP addresses are allowed to send email on behalf of your domain. When a mail server receives an email from your domain, it checks your SPF record to verify the sender.

The problem is that SPF records can reference other domains using include: mechanisms. Each include: triggers a DNS lookup. And each of those records can have their own include: statements, creating a chain of lookups.

RFC 7208 limits this to 10 DNS lookups total. Go over that limit, and receiving servers will return a permerror — which most mail servers treat as a fail. Your emails get flagged or rejected.

What counts as a lookup?

These mechanisms each consume one DNS lookup:

  • include: — the most common offender
  • a: — resolves a domain's A record
  • mx: — resolves MX records
  • redirect= — follows to another SPF record
  • exists: — checks if a domain resolves
  • ptr: — reverse DNS lookup (deprecated, avoid this)

These do not count as lookups:

  • ip4: — direct IP address
  • ip6: — direct IPv6 address
  • all — the catch-all mechanism

How to check your lookup count

The fastest way is to run a scan on PulseCheck — it recursively follows every include: in your SPF record and counts the total lookups automatically.

You can also check manually by querying your SPF TXT record and following each include: chain, but this is tedious and error-prone.

Common scenarios that blow the limit

Using multiple SaaS email providers. If you send email through Google Workspace, Mailchimp, SendGrid, and HubSpot, each adds 2-4 lookups via their include: mechanism. Four providers can easily push you past 10.

Inherited records from previous providers. Your SPF record might still include providers you no longer use. Each one wastes a lookup.

Nested includes. Some providers' SPF records themselves include other domains. Google Workspace's include:_spf.google.com expands into multiple further lookups.

How to fix it

1. Audit your current record

List every include: in your SPF record. For each one, check if you still use that service. Remove any you don't need.

2. Replace includes with IP addresses

If a service sends from a small, fixed set of IPs, replace the include: with direct ip4: or ip6: entries. These don't count against the lookup limit.

Before: include:mail.zendesk.com (1 lookup) After: ip4:192.161.144.0/20 (0 lookups)

Check the provider's documentation for their sending IP ranges.

3. Use SPF flattening

SPF flattening resolves all include: chains into their final IP addresses at build time, producing a single flat record with only ip4: and ip6: entries.

Tools like AutoSPF, SPF Wizard, or dmarcian can automate this. The trade-off: if a provider changes their sending IPs, your flattened record becomes stale. Use a tool that auto-updates.

4. Move to a subdomain

If you absolutely need more than 10 providers, consider sending transactional email from a subdomain like mail.yourdomain.com. Each subdomain gets its own SPF record with its own 10-lookup budget.

Key takeaways

  • The 10 DNS lookup limit is a hard cap in the SPF specification
  • Exceeding it causes a permerror that can silently break email delivery
  • Audit your SPF record regularly — remove unused providers
  • Use ip4:/ip6: for static IP senders to save lookups
  • Consider SPF flattening or subdomain delegation for complex setups

Run a free PulseCheck scan to see your current SPF lookup count instantly.

Want to check your domain?

Run a free ScanMyDomain scan in 5 seconds. No signup required.

Scan your domain free