What is the maximum number of DNS lookups allowed in an SPF record?

The maximum number of DNS lookups allowed in a single SPF record check is 10. This is a hard limit defined in the Sender Policy Framework (SPF) specification, RFC7208. It's a common stumbling block for many businesses as they start using more third-party services to send email on their behalf.

Cloudflare Docs says:

Visit website

SPF must limit the number of DNS lookups to 10 per SPF check. If your SPF records exceed this number, your emails might not reach their destination.

Every time you add a new service like a helpdesk, CRM, or marketing platform to your SPF record, you're likely adding another lookup. Before you know it, you've gone past the limit, and your SPF record becomes invalid, which can seriously harm your email deliverability.

Suped DMARC monitor

Free forever, no credit card required

Get started for free

Trusted by teams securing millions of inboxes

The limit isn't arbitrary. It exists primarily for security and performance reasons. When a receiving mail server checks an incoming email, it has to perform a series of DNS lookups to validate the sender's SPF record. Without a limit, a malicious actor could craft a complex SPF record that forces the receiving server to perform an excessive number of DNS queries.

AutoSPF says:

Visit website

The maximum limit of unique DNS lookups per SPF record is 10. Here's why there's a constraint on SPF DNS lookups: DDOS protection.

This could be used to launch a Distributed Denial of Service (DDoS) attack against the server or its DNS resolvers. As noted in the SPF specification (RFC7208), the limit is there to stop senders from placing an unreasonable load on the validating server. It ensures that SPF checks remain fast and efficient, preventing delays in email processing.

Not every part of an SPF record counts towards the 10-lookup limit. It's important to understand which mechanisms trigger a DNS query. The mechanisms that count are those that require looking up another DNS record:

• include: This is the most common cause of lookup issues. Each include statement in your record counts as one lookup. Furthermore, if the included record itself contains more lookups, those also count towards your total.
• a: Counts as one lookup to find the A or AAAA record of a specific domain.
• mx: Counts as one lookup to find the MX records for a domain, plus an additional lookup for each MX record found.
• ptr: This mechanism is deprecated and strongly discouraged, but it performs a reverse DNS lookup and counts towards the limit.
• exists: Performs a DNS A record lookup and counts as one lookup.

Mechanisms like ip4, ip6, and all do not perform any DNS lookups and therefore do not count towards the limit.

When a receiving mail server evaluates an SPF record and finds that it requires more than 10 DNS lookups, it immediately stops processing and returns a permanent error, often called a "PermError".

Email Deliverability and Automation Expert says:

Visit website

Exceeding the 10 DNS Lookup limit results in a 'PermError SPF permanent error: too many DNS lookups.' This invalidates your SPF record, leading...

This PermError invalidates your entire SPF record. From the perspective of the receiving server, it's as if you have no SPF record at all. As a result, your DMARC alignment for SPF will fail. If your DKIM signature also fails or is not present, your emails are much more likely to be rejected or sent to the spam folder, as DuoCircle explains here. This is a critical deliverability issue that can go unnoticed until you start seeing widespread delivery problems.

Managing your SPF record to stay under the limit is an ongoing process, especially for growing businesses. Here are some effective strategies:

• Audit and remove unused services: Regularly review your SPF record. If you no longer use a service that's listed in an include mechanism, remove it. This is the simplest way to free up lookups.
• Use subdomains:A highly recommended approach is to assign different subdomains to different sending services. For example, instead of having all services on your main domain, you can have your marketing emails sent from news.yourdomain.com and transactional emails from support.yourdomain.com. Each subdomain gets its own SPF record with its own 10-lookup limit.
• Avoid nested includes: Be cautious of services whose SPF records themselves contain multiple include statements (like Microsoft 365). These can quickly consume your lookup budget.
• Use IP addresses directly: If a third-party service provides you with a static IP address to send from, use the ip4 or ip6 mechanism instead of include. This adds the source directly without consuming a DNS lookup.