Skip to content

SPF Record Too Long? Count Your Lookups

Check if your SPF exceeds the 10 DNS lookup limit and see exactly what to fix.

Takes ~10 seconds

No login required for preview GDPR-friendly

The 10 DNS Lookup Limit

RFC 7208 limits SPF to 10 DNS lookups to prevent denial-of-service attacks. Exceeding this causes permerror and SPF fails completely.

Mechanisms that COUNT

  • include:
  • a (and a:domain)
  • mx (and mx:domain)
  • ptr (deprecated)
  • exists:
  • redirect=

Mechanisms that DON'T count

  • ip4:
  • ip6:
  • all
  • exp=

Why SPF Records Get Too Long

Too many email services

Each SaaS tool (Google Workspace, Microsoft 365, Mailchimp, Salesforce, Zendesk, etc.) adds an include: that can contain 2-5+ nested lookups. Five services can easily exceed 10 lookups.

Nested includes

When you add include:_spf.google.com, that record itself contains more includes. Google's SPF alone uses 3-4 lookups. Nested lookups count toward your total.

Legacy/unused includes

Old email services you no longer use may still be in your SPF. Audit your record and remove includes for services you've discontinued.

Using mx and a mechanisms

The mx mechanism requires a lookup, and if you have multiple MX records, each A record lookup also counts. Replace with explicit ip4: addresses when possible.

Record too long (255 char limit)

DNS TXT records have a 255-character limit per string. Longer records must be split into multiple strings. Some DNS providers handle this poorly, causing syntax errors.

How to Fix SPF Too Many Lookups

1

Audit Your Includes

List every include: in your SPF. Remove any for services you no longer use.

2

Replace with IP Addresses

If a service has static IPs, use ip4:x.x.x.x instead of include:. This uses zero lookups.

3

Use SPF Flattening

SPF flattening resolves all includes to IP addresses. Requires regular updates as provider IPs change. Use a service or script to automate.

4

Consolidate Sending Services

Route multiple services through one provider. For example, send all transactional email through one ESP instead of three.

5

Use Subdomains

Send marketing from mail.example.com with its own SPF record. Each subdomain gets its own 10-lookup limit.

Frequently Asked Questions

What is SPF permerror?

SPF permerror (permanent error) occurs when your SPF record exceeds 10 DNS lookups, has syntax errors, or is malformed. When permerror happens, SPF evaluation fails completely-it's treated as if you have no SPF at all.

How do I fix SPF too many DNS lookups?

Reduce lookups by: removing unused includes, replacing include: with ip4:/ip6: where possible, using SPF flattening services, or consolidating multiple services under fewer includes. You can also use subdomains for different mail streams.

What counts as an SPF DNS lookup?

These mechanisms count toward the 10-lookup limit: include, a, mx, ptr, exists, and redirect. These do NOT count: ip4, ip6, all. Each include can contain nested lookups that also count.

Related Guides

Email Authentication Guide Fix DMARC Failures What is SPF? ← Back to Home

Related Tools

SPF Checker

Full SPF validation and syntax check

DMARC Checker

Check DMARC policy and alignment

Spam Diagnostic

Full email deliverability check

Security Audit

Complete email security assessment

Fix SPF Permanently

Create a free account to monitor SPF lookups, get alerts when limits are exceeded, and see optimization recommendations.

Start Free Monitoring