SPF Record: Too Many DNS Lookups (How to Fix)

Introduction

"Too many DNS lookups" is the most common SPF error, and it can cause your legitimate emails to fail authentication. When your SPF record exceeds 10 DNS lookups, receiving servers stop processing it and your emails may be rejected or sent to spam.

This guide explains why the limit exists, how to count your lookups, and practical solutions to fix the problem.

Understanding the 10 Lookup Limit

Why the Limit Exists

The SPF standard (RFC 7208) imposes a hard limit of 10 DNS lookups per SPF evaluation to prevent:

• Denial of service attacks
• Infinite loops
• Excessive DNS server load
• Slow email processing

When an email server evaluates your SPF record, it must resolve all include:, a, mx, ptr, and redirect= mechanisms. Each one counts as a DNS lookup.

What Happens When You Exceed 10 Lookups

• SPF check returns permerror (permanent error)
• Email fails SPF authentication
• DMARC may fail (if relying on SPF alignment)
• Emails sent to spam or rejected
• Your sender reputation suffers

Important: There's no "soft limit." Once you hit 11 lookups, SPF fails completely.

How to Count DNS Lookups

Mechanisms That Count as Lookups

Each of these counts as ONE lookup:

• include:domain.com
• a
• mx
• exists:domain.com
• redirect=domain.com

These DO NOT count:

• ip4:192.0.2.1
• ip6:2001:db8::1
• all, +all, ~all, -all

Nested Lookups Add Up

When you include: another domain's SPF, that domain's lookups also count toward your total.

Example:

Your SPF record:

v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all

• include:_spf.google.com = 1 lookup

  • Google's SPF has 3 additional includes = 3 more lookups
  • Subtotal: 4 lookups

• include:spf.protection.outlook.com = 1 lookup

  • Microsoft's SPF has 2 additional includes = 2 more lookups
  • Subtotal: 3 lookups

Total: 7 lookups (still under limit)

Use Our SPF Checker to Count

The easiest way to see your total lookup count:

Check SPF Lookups →

This tool:

• Counts all lookups recursively
• Shows lookup tree structure
• Identifies which includes contribute most
• Warns if approaching or exceeding limit

Common Scenarios That Cause Too Many Lookups

Scenario 1: Multiple Email Service Providers

Problem: Using several email services

v=spf1 include:_spf.google.com include:spf.protection.outlook.com
include:servers.mcsv.net include:sendgrid.net include:mailgun.org
include:_spf.zendesk.com include:spf.mandrillapp.com ~all

Each include has nested lookups → easily exceeds 10

Scenario 2: Using mx Mechanism with Many MX Records

Problem: Large organizations with multiple MX records

v=spf1 mx include:_spf.google.com ~all

If you have 5 MX records:

• mx = 5 lookups (one per MX record)
• include:_spf.google.com = 4 lookups
• Total: 9 lookups (approaching limit)

Scenario 3: Legacy Services Still in SPF

Problem: Old includes from services you no longer use

v=spf1 include:service1.com include:service2.com include:service3.com ...

Over time, includes accumulate but are never removed.

Solutions to Fix Too Many Lookups

Solution 1: Remove Unused Includes

Easiest and safest solution

Steps:

1. Identify all email sources

   • Check DMARC reports (if already collecting)
   • Review recent sent emails
   • Audit active email integrations

2. Remove unused includes

   • Old marketing platforms
   • Deprecated transactional services
   • Test systems no longer in use

3. Test thoroughly

   • Send emails from all active sources
   • Verify SPF still passes

Example:

❌ Before (12 lookups):

v=spf1 include:_spf.google.com include:mailgun.org
include:oldservice.com include:unused.com include:sendgrid.net ~all

✅ After (8 lookups):

v=spf1 include:_spf.google.com include:mailgun.org include:sendgrid.net ~all

Solution 2: Replace Includes with IP Addresses (SPF Flattening)

Convert include: to ip4: or ip6: ranges

Advantages:

• IP addresses don't count as lookups
• Reduces lookup count significantly

Disadvantages:

• Must update when provider changes IPs
• Loses automatic updates from provider
• Requires monitoring

Example flattening:

❌ Before:

v=spf1 include:servers.mcsv.net ~all

(servers.mcsv.net resolves to multiple IPs and includes)

✅ After (flattened):

v=spf1 ip4:198.2.128.0/24 ip4:198.2.129.0/24 ip4:205.201.128.0/24 ~all

(No lookups for IP addresses)

How to flatten:

Manual method:

1. Look up IPs for the included domain

   dig +short include:servers.mcsv.net TXT
   nslookup -type=TXT servers.mcsv.net

2. Extract IP ranges
3. Replace include: with ip4: entries

Automated tools:

• SPF flattening services (automatically update)
• MXToolbox SPF Flattening
• Our SPF Checker shows IP ranges

Warning: Flattened SPF records become outdated when providers change IPs. Set reminders to review quarterly.

Solution 3: Consolidate Email Providers

Reduce number of services sending email from your domain

Steps:

1. Audit current providers:

   • Marketing: Mailchimp, Klaviyo, HubSpot?
   • Transactional: SendGrid, Mailgun, SES?
   • Support: Zendesk, Freshdesk, Help Scout?

2. Consolidate where possible:

   • Use one marketing platform instead of three
   • Route transactional through single provider
   • Use email provider's built-in features

Example:

❌ Before:

• Google Workspace for business email
• Mailchimp for newsletters
• SendGrid for transactional
• Zendesk for support tickets
• Mailgun for marketing automation

✅ After:

• Google Workspace for business email
• Mailchimp for newsletters (also handles transactional and automation)
• Zendesk for support (using Mailchimp DKIM for notifications)

Result: Reduced from 5 includes to 2

Solution 4: Use Subdomains for Different Functions

Send different types of email from subdomains

Strategy:

• yourdomain.com: Business email only
• marketing.yourdomain.com: Marketing emails
• transactional.yourdomain.com: Order confirmations, notifications

SPF records:

Main domain (simple):

v=spf1 include:_spf.google.com ~all

(2 lookups)

Marketing subdomain:

v=spf1 include:servers.mcsv.net include:spf.klaviyo.com ~all

(4 lookups)

Transactional subdomain:

v=spf1 include:sendgrid.net ~all

(2 lookups)

Advantages:

• Each domain under 10 lookups
• Better segmentation
• Isolates reputation

Disadvantages:

• Requires DNS configuration for each subdomain
• May need to update email templates
• More complex setup

Solution 5: Remove mx Mechanism

Replace mx with explicit IP addresses

❌ Before:

v=spf1 mx include:_spf.google.com ~all

(If 5 MX records: 5 lookups from mx alone)

✅ After:

v=spf1 ip4:192.0.2.1 include:_spf.google.com ~all

(0 lookups for IP, more control)

When to remove mx:

• You have many MX records
• You know your outbound mail server IPs
• MX servers aren't used for sending (only receiving)

Step-by-Step Fix Guide

Step 1: Check Current Lookup Count

Run SPF Checker →

Note:

• Total lookup count
• Which includes contribute most lookups
• Any nested includes

Step 2: Identify Unused Services

Review your SPF includes:

• Google Workspace / Microsoft 365: Still used?
• Marketing platform: Active?
• Transactional email service: Sending?
• Support system: Configured?
• Other includes: Recognized?

Step 3: Remove Unused Includes

Update SPF record, removing services you don't use:

1. Log in to DNS provider
2. Find SPF TXT record
3. Remove unused include: entries
4. Save and wait 30 minutes for propagation

Step 4: Flatten Remaining Includes (If Needed)

If still over 10 lookups:

1. Identify candidates for flattening:

   • Services with static IPs
   • Rarely changing providers

2. Look up IP ranges:

   dig +short include:service.com TXT

3. Replace with IP addresses:

   include:service.com → ip4:192.0.2.0/24 ip4:198.51.100.0/24

4. Set calendar reminder to review quarterly

Step 5: Verify Fix

1. Check lookup count: SPF Checker → (Should be ≤10)

2. Send test emails:

   • From each email service
   • To Gmail, Outlook, Yahoo
   • Verify SPF passes

3. Monitor for a week:

   • Check for delivery issues
   • Review any bounce messages

Monitoring and Maintenance

Quarterly SPF Audit

Set calendar reminder every 3 months:

• Check SPF lookup count
• Verify all includes still needed
• Update flattened IPs if needed
• Test email delivery from all sources

When Adding New Services

Before adding new email service:

1. Check their SPF lookup count:

   dig +short include:newservice.com TXT

2. Calculate new total: Current lookups + new service lookups

3. If approaching limit:

   • Remove unused service
   • Flatten existing include
   • Use subdomain for new service

Set Up Alerts

Manual monitoring:

• Monthly SPF check
• Use our SPF Checker

Automated monitoring:

• DMARC reports show SPF failures
• Sign up for alerts

Advanced: SPF Macro Techniques

For complex scenarios, SPF macros can reduce lookups:

v=spf1 exists:%{i}._spf.yourdomain.com ~all

Warning: Requires DNS infrastructure to support, complex to implement. Only for advanced users.

The Bottom Line

SPF "too many DNS lookups" error means you've exceeded the 10 lookup limit.

Quick fixes (in order of ease):

1. Remove unused includes (easiest, safest)
2. Flatten some includes to IPs (moderate effort, requires maintenance)
3. Consolidate email providers (strategic, long-term)
4. Use subdomains (more setup, better organization)

Most common solution: Remove 2-3 old/unused includes

Timeline to fix:

• Identify unused services: 15 minutes
• Update SPF record: 5 minutes
• DNS propagation: 30 minutes
• Verification: 10 minutes

Total: ~1 hour

Next Steps

1. Check your SPF lookup count: SPF Checker →
2. Verify complete authentication: Domain Score →
3. Monitor ongoing: Start free trial → for automated SPF monitoring

---

Related Articles:

• SPF, DKIM, and DMARC: The Complete Guide
• Why Your Emails Are Going to Spam
• DMARC Record Not Found: How to Fix