Home / Guides / SPF Too Many Lookups

SPF Record Too Many DNS Lookups — How to Fix

The SPF 10-lookup limit is one of the most common email authentication errors. Here's how to diagnose and fix it.

Understanding the SPF 10-lookup limit

SPF (Sender Policy Framework) uses DNS TXT records to list which servers are authorized to send email for your domain. When a receiving server evaluates your SPF record, it follows each include:, a:, mx:, and redirect= mechanism by making DNS queries.

RFC 7208 limits this to 10 DNS lookups total. If your record exceeds this limit, the SPF check returns permerror — a permanent error that most ISPs treat as a fail.

What counts toward the limit

MechanismCounts?Notes
include:Yes (1 each)Plus any lookups inside the included record
a:Yes (1 each)Resolves domain to IP
mx:Yes (1 each)Resolves MX records, then each MX to IP
redirect=Yes (1)Follows to another SPF record
exists:Yes (1 each)Rarely used
ptr:Yes (1 each)Deprecated, avoid using
ip4:NoDirect IP, no DNS needed
ip6:NoDirect IP, no DNS needed
allNoTerminal mechanism

How to count your current lookups

Use an online SPF checker (MXToolbox, dmarcian, or EasyDMARC) to analyze your record. Or check manually with dig:

dig TXT example.com +short

Count each include:, a:, mx:, and redirect= mechanism. Then check each included domain recursively — their includes count toward your total too.

Example of a record at the limit:

v=spf1 include:_spf.google.com include:spf.protection.outlook.com include:sendgrid.net include:spf.relaypost.dev include:_spf.salesforce.com ~all

This looks like 5 lookups, but _spf.google.com alone contains 3-4 nested includes. The real total could be 12+.

Fix 1: Remove unused includes

The easiest fix. Audit each include and remove any for services you no longer use:

  • Old email marketing tools you've migrated away from
  • Previous email providers
  • CRM systems that no longer send email on your behalf
  • Test or staging services

Fix 2: Replace includes with IP addresses

For services with stable, documented IP ranges, replace the include: with ip4: or ip6: mechanisms. These don't count toward the lookup limit.

# Before (1 lookup + nested lookups)
include:mail.example-service.com

# After (0 lookups)
ip4:198.51.100.0/24 ip4:203.0.113.0/24

Only do this for services with stable IPs. If the provider changes their IPs, your SPF will break.

Fix 3: Use subdomains

Split your email sending across subdomains, each with its own SPF record:

  • example.com — corporate email (Google Workspace/Microsoft 365)
  • mail.example.com — transactional email (RelayPost)
  • marketing.example.com — marketing email (marketing tool)

Each subdomain gets its own 10-lookup budget. This is the cleanest long-term solution.

Fix 4: SPF flattening (use with caution)

SPF flattening resolves all includes to their final IP addresses and puts them directly in your record. This eliminates nested lookups but creates a maintenance burden — if any provider changes their IPs, your record breaks silently.

If you use flattening, use an automated tool that monitors for IP changes and updates your record automatically.

SPF with RelayPost

RelayPost's SPF include is lightweight — a single include:spf.relaypost.dev that resolves to a small set of IP ranges. This typically adds only 1-2 lookups to your total.

Related guides

Frequently asked questions

What is the SPF 10-lookup limit?

The SPF specification (RFC 7208) limits SPF record evaluation to 10 DNS lookups. Each 'include:', 'a:', 'mx:', and 'redirect=' mechanism counts as one lookup. If your record exceeds 10, the entire SPF check returns 'permerror' and fails.

What counts as a DNS lookup in SPF?

These mechanisms each count as one lookup: include, a, mx, ptr, exists, and redirect. The 'ip4' and 'ip6' mechanisms do NOT count because they don't require DNS resolution. Nested includes (an include that itself has includes) count toward the total.

What happens when SPF exceeds 10 lookups?

The receiving server returns a 'permerror' result, which means SPF evaluation failed entirely. Most ISPs treat this the same as an SPF fail — your emails are more likely to be spam-filtered or rejected, especially if you also lack DKIM.

Should I use SPF flattening?

SPF flattening replaces include mechanisms with the resolved IP addresses. It works but requires maintenance — if a provider changes their IPs, your flattened record becomes stale. Use automated flattening tools or services that update records automatically.

Simple email authentication

RelayPost configures SPF and DKIM automatically. One include, zero hassle.

Get Started Free