SPF Too Many DNS Lookups: What It Means and How to Fix It

Last updated 2026-05-29 — By The InboxGreen Team

"SPF too many DNS lookups" means your SPF record requires more than 10 DNS queries to fully resolve. RFC 7208 sets a hard limit of 10 DNS-querying mechanisms (include, a, mx, ptr, exists). When that limit is exceeded, the result is a PermError and SPF fails entirely, even if every sender listed is legitimate. The fix is to reduce lookups by replacing include: mechanisms with direct IP addresses.

What it means

Every time your SPF record contains an <code>include:</code>, <code>a</code>, <code>mx</code>, or <code>redirect=</code> mechanism, the receiving server must make an additional DNS query to resolve it. Each of those nested records may itself contain further includes, and each counts toward the 10-lookup limit. Large SaaS stacks (Google Workspace + Mailchimp + HubSpot + SendGrid) can easily exceed 10 lookups.

Why it matters

A PermError caused by too many lookups has the same effect as no SPF record at all. Receivers treat it as an SPF failure, which can silently break deliverability at scale, especially as you add more sending tools over time. The limit was set in the original SPF spec to prevent DNS abuse and it is enforced by all major providers.

How to count your current DNS lookups

v=spf1 ip4:192.0.2.1 ip4:198.51.100.0/24 include:sendgrid.net ~all

ip4: and ip6: mechanisms do not count as lookups since they are direct IP references. Replacing include: entries with their underlying IP ranges is the most reliable way to reduce lookup count. Use InboxGreen or MXToolbox to count current lookups.

How to fix it

Any DNS provider

  1. Run your domain through the InboxGreen checker to confirm you have a lookup overflow.
  2. List every sending service in your current SPF record.
  3. For each include:, look up what IP ranges it resolves to (check the provider's documentation).
  4. Replace include: mechanisms with direct ip4: or ip6: entries where possible.
  5. Keep include: only for services that rotate IPs frequently (like Google Workspace).
  6. Re-run the checker to confirm the lookup count is now under 10.

Alternative: SPF flattening service

  1. Services like AutoSPF or dmarcian's SPF Surveyor can automatically flatten your SPF record.
  2. They resolve all includes to their current IPs and generate a single flat record.
  3. Note: flattened records need periodic updates as providers change their IP ranges.

How to verify the fix

  1. After updating your SPF record, wait a few minutes for propagation.
  2. Run your domain through the InboxGreen free checker.
  3. SPF should now show PASS instead of a PermError or warning about lookup count.

Check your fix right now

Run your domain through InboxGreen's free checker to confirm the issue is resolved.

Check my domain

Common mistakes

  • Counting only the top-level includes. Nested includes inside those also count toward the limit.
  • Flattening IPs without a process to keep them updated. Providers change IP ranges and your record becomes stale.
  • Removing legitimate senders when flattening. Check all your sending platforms before removing any include.
  • Confusing the 10-lookup limit with the 255-character string limit. These are two separate SPF constraints.

Frequently asked questions

What counts as a DNS lookup in SPF? +

The following mechanisms each count as one lookup: include, a, mx, ptr, exists, redirect. The mechanisms ip4, ip6, and all do not require DNS lookups and do not count toward the limit.

Can I use a subdomain to work around the 10-lookup limit? +

Using a redirect= to a subdomain does not help. The redirect itself counts as a lookup and the sub-record's lookups still count too. Flattening to IP addresses is the correct approach.

How do I count how many lookups my SPF record currently uses? +

Run your domain through the InboxGreen checker, which evaluates lookup depth. You can also use MXToolbox SPF Record Lookup, which shows the full resolved tree and counts.

Related fix guides