The SPF 10-lookup limit is one of the most frustrating constraints in email authentication. This hard limit, defined in RFC 7208, means your SPF record can trigger a maximum of 10 DNS lookups before failing validation—even if all your sending sources are legitimate.
For organizations using multiple email services (Office 365, Google Workspace, marketing platforms, CRM systems, help desks), hitting this limit is almost inevitable. This guide explains why the limit exists, how to count your lookups, and proven strategies for staying under the limit without compromising email deliverability.
Understanding the 10-Lookup Limit
📊 What Counts as a Lookup?
Any SPF mechanism that requires a DNS query counts toward the limit: include:, a:, mx:, exists:, and redirect:.
Why Does This Limit Exist?
The 10-lookup limit was designed to prevent:
- Infinite recursion: SPF records that reference each other in loops
- DNS amplification attacks: Malicious records causing excessive DNS queries
- Performance degradation: Email servers spending too much time on SPF validation
- Resource exhaustion: DNS servers being overwhelmed by SPF lookups
While well-intentioned, this limit creates real challenges for legitimate organizations with complex email infrastructure.
What Happens When You Exceed 10 Lookups?
🚨 SPF PermError Result
When your SPF record exceeds 10 lookups, receiving mail servers return SPF PermError (permanent error). This is treated as an SPF fail.
Impact: Your legitimate email may be rejected or marked as spam, even though your sending sources are authorized.
Counting Your SPF Lookups
Not all SPF mechanisms count as lookups. Here's the definitive breakdown:
| Mechanism | Counts as Lookup? | Notes |
|---|---|---|
| ip4:192.0.2.1 | NO | Direct IP, no DNS lookup needed |
| ip6:2001:db8::/32 | NO | Direct IPv6, no DNS lookup |
| include:_spf.example.com | YES (1+) | Counts as 1, plus any lookups in the included record |
| a:mail.example.com | YES | DNS A/AAAA record lookup |
| mx:example.com | YES | DNS MX record lookup |
| exists:%{i}.spamhaus.org | YES | DNS existence check |
| redirect=_spf.example.com | YES (1+) | Counts as 1, plus lookups in redirected record |
| ~all | NO | Qualifier, no lookup |
Example: Counting a Real SPF Record
Example SPF Record:
v=spf1 ip4:192.0.2.0/24
include:_spf.google.com
include:spf.protection.outlook.com
include:sendgrid.net
include:_spf.salesforce.com
include:mail.zendesk.com
a:mail.example.com
~allLookup Count Breakdown:
- • ip4:192.0.2.0/24 = 0 lookups
- • include:_spf.google.com = 3 lookups (1 for include + 2 nested)
- • include:spf.protection.outlook.com = 2 lookups (1 + 1 nested)
- • include:sendgrid.net = 2 lookups (1 + 1 nested)
- • include:_spf.salesforce.com = 1 lookup
- • include:mail.zendesk.com = 1 lookup
- • a:mail.example.com = 1 lookup
- • ~all = 0 lookups
Total: 10 lookups (at the limit!)
⚠️ Nested Includes Count Too!
When you include another domain's SPF record, all lookups within that record also count toward your 10-lookup limit. This is why include:_spf.google.com actually costs 3 lookups, not 1.
Optimization Strategies
Strategy 1: Replace Includes with Direct IPs
How it works: Instead of including a third-party SPF record, add their IP addresses directly to your record.
❌ Before (3 lookups)
include:sendgrid.net✅ After (0 lookups)
ip4:167.89.0.0/17
ip4:168.245.0.0/16Pros: Significantly reduces lookup count
Cons: Requires manual updates if provider changes IPs (rare but possible); increases record size
💡 Best for: Static IP providers
Marketing platforms and transactional email services typically have stable IP ranges published in their documentation. Check provider docs or use nslookup to get current IPs.
Strategy 2: SPF Delegation with Subdomains
How it works: Move your SPF record to a subdomain and reference it with a CNAME. Each subdomain gets its own 10-lookup budget.
DNS Configuration:
# Main domain SPF (minimal)
example.com. TXT "v=spf1 include:_spf.example.com ~all"
# Delegated SPF subdomain (full record)
_spf.example.com. TXT "v=spf1 ip4:192.0.2.0/24 include:_spf.google.com include:sendgrid.net ... ~all"Pros: Clean separation; easier management; main domain record stays simple
Cons: Requires DNS management capability; adds one lookup to main domain
Strategy 3: Use Separate Subdomains for Different Services
How it works: Send marketing/transactional email from subdomains, each with its own SPF record and 10-lookup budget.
Primary Domain (example.com)
Used for: Office 365, Google Workspace (employee email)
v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~allLookup count: 5
Marketing Subdomain (news.example.com)
Used for: SendGrid, Mailchimp (newsletters)
v=spf1 include:sendgrid.net include:servers.mcsv.net ~allLookup count: 4
Transactional Subdomain (app.example.com)
Used for: Application notifications, password resets
v=spf1 ip4:192.0.2.0/24 include:_spf.salesforce.com ~allLookup count: 2
Pros: Each subdomain has full 10-lookup budget; cleaner organization; easier troubleshooting
Cons: Requires updating "From:" addresses in email services; may confuse recipients initially
Strategy 4: IP Netblock Consolidation
How it works: Combine multiple individual IPs into CIDR netblocks to reduce record size.
❌ Before
ip4:192.0.2.1
ip4:192.0.2.2
ip4:192.0.2.3
ip4:192.0.2.4✅ After
ip4:192.0.2.0/30Note: This doesn't reduce lookups (IPs don't count as lookups), but reduces overall SPF record size, which has a 255-character limit per string.
Strategy 5: Remove Unused Services
The simplest optimization: audit your SPF record and remove services you no longer use.
🔍 SPF Audit Checklist
- Review each include/IP in your SPF record
- Verify the service is still actively sending email
- Check DMARC reports to confirm recent email volume
- Remove any services decommissioned or migrated
- Test after removal to ensure no legitimate email breaks
Strategy 6: SPF Flattening Services (Use with Caution)
How it works: Third-party services automatically resolve includes to IPs and update your SPF record.
Popular services: AutoSPF, EasySPF, dmarcian
✅ Pros
- Automated IP resolution
- Automatic updates when providers change IPs
- Significantly reduces lookup count
- Monitoring and alerts included
❌ Cons
- Additional cost (typically $20-100/month)
- Adds dependency on third-party service
- DNS changes controlled by external service
- Potential propagation delays
Common Mistakes to Avoid
❌ Mistake #1: Not Testing Before Deployment
Always test SPF changes in a staging domain first. Use tools like mxtoolbox.com/spf.aspx to validate lookup count before updating production.
❌ Mistake #2: Forgetting Nested Lookups
When you include another domain's SPF, all their lookups count against your limit. Always check nested lookup depth.
❌ Mistake #3: Hardcoding IPs Without Monitoring
If you replace includes with direct IPs, set calendar reminders to check if provider IPs have changed. Sign up for provider IP change notifications.
❌ Mistake #4: Exceeding the 255-Character String Limit
SPF records can span multiple TXT strings, but each string has a 255-character limit. This is separate from the 10-lookup limit.
❌ Mistake #5: Multiple SPF Records
Only one SPF record per domain! Multiple TXT records starting with "v=spf1" causes all of them to be ignored.
Tools for SPF Optimization
MxToolbox SPF Checker
Free tool to check SPF records, count lookups, and identify issues.
mxtoolbox.com/spf.aspxDMARC Busta SPF Analyzer
Automated SPF analysis with optimization recommendations and monitoring.
Recommendeddmarcian SPF Surveyor
Visualizes SPF record structure and nested includes with lookup count.
dmarcian.com/spf-surveyEasySPF
Automated SPF flattening service with monitoring and alerts.
Paid ServiceReal-World Example: Optimization in Action
Before Optimization (13 lookups - FAILING)
v=spf1
include:_spf.google.com # 3 lookups
include:spf.protection.outlook.com # 2 lookups
include:sendgrid.net # 2 lookups
include:_spf.salesforce.com # 1 lookup
include:mail.zendesk.com # 1 lookup
include:servers.mcsv.net # 2 lookups
a:mail.example.com # 1 lookup
mx:example.com # 1 lookup
~all
Total: 13 lookups (EXCEEDS LIMIT)After Optimization (7 lookups - PASSING)
# Main domain (example.com)
v=spf1
include:_spf.google.com # 3 lookups
include:spf.protection.outlook.com # 2 lookups
ip4:192.0.2.0/24 # 0 lookups (own servers)
include:_spf.example.com # 2 lookups (delegated)
~all
Total: 7 lookups
# Delegated subdomain (_spf.example.com)
v=spf1
include:_spf.salesforce.com # 1 lookup
include:mail.zendesk.com # 1 lookup
~all
Total: 2 lookups (under main domain's include)
# Marketing subdomain (news.example.com)
v=spf1
include:sendgrid.net # 2 lookups
include:servers.mcsv.net # 2 lookups
~all
Total: 4 lookups (separate subdomain)Optimizations Applied:
- Replaced a: and mx: with direct ip4: (saved 2 lookups)
- Created delegated subdomain for Salesforce/Zendesk (saved 2 lookups)
- Moved marketing services to subdomain (saved 4 lookups)
- Result: 13 → 7 lookups on main domain
Conclusion
The SPF 10-lookup limit is frustrating, but with proper planning and optimization, it's entirely manageable. The key is to:
- Regularly audit your SPF record and remove unused services
- Replace high-lookup includes with direct IPs where practical
- Use subdomain delegation to separate email services
- Monitor your lookup count with automated tools
- Test all changes before deploying to production
Remember: staying under 10 lookups isn't just about compliance—it's about ensuring your legitimate email is delivered reliably without SPF failures that could harm your sender reputation.
Automate SPF Optimization
DMARC Busta automatically monitors your SPF lookup count, identifies optimization opportunities, and alerts you before you hit the limit.
Start Free Trial
