What are the best practices for DNS lookups, SPF records, and subdomain usage for email deliverability?
Michael Ko
Co-founder & CEO, Suped
Published 17 May 2025
Updated 19 Aug 2025
7 min read
Achieving excellent email deliverability is a multi-faceted challenge, and at its core lies a solid DNS configuration. Incorrectly set up DNS records, particularly Sender Policy Framework (SPF) records, can significantly hinder your emails from reaching the inbox. A common hurdle many email senders encounter is the SPF DNS lookup limit, which, if exceeded, can cause legitimate emails to be flagged as spam or rejected entirely.
This guide will walk you through the essential best practices for managing your DNS lookups, optimizing SPF records, and strategically using subdomains to ensure your emails consistently land in recipients' inboxes, rather than their spam folders. We will explore how to navigate the complexities of email authentication to build and maintain a strong sending reputation.
Email deliverability relies heavily on proper DNS records. These records act like identity cards for your sending domains, telling recipient servers whether an email originating from your domain is legitimate or potentially forged. Key among these are SPF, DKIM, and DMARC, which collectively form a robust email authentication framework designed to prevent spoofing and phishing.
The Sender Policy Framework (SPF) record is a TXT record published in your DNS that lists all authorized mail servers permitted to send email on behalf of your domain. When a recipient server receives an email, it performs an SPF check by looking up this record. If the sending server's IP address is not listed, the email may fail SPF authentication, leading to delivery issues.
A critical aspect of SPF is the DNS lookup limit. According to RFC 7208, an SPF record can involve no more than 10 DNS lookups during its evaluation. This limit includes mechanisms like `a`, `mx`, `ptr`, `exists`, `include`, and `redirect`. Exceeding this limit results in a "PermError" (Permanent Error), causing receiving mail servers to treat your SPF record as invalid.
This PermError means your email authentication can fail, even if the sending server is legitimate. When SPF fails, it significantly increases the likelihood of your emails landing in the spam folder or being rejected outright by strict receiving mail servers like Gmail and Microsoft Outlook. Maintaining a clean and compliant SPF record is therefore essential for robust email deliverability and preventing your domain from being added to a blocklist (or blacklist).
Every SPF record is limited to a maximum of 10 DNS lookups. Mechanisms like `include`, `a`, `mx`, `ptr`, and `exists` each count as one lookup. Surpassing this limit causes your SPF record to return a "PermError", rendering it ineffective and potentially leading to email rejection or misclassification as spam. Regularly review your SPF record to ensure compliance with this crucial limitation and maintain deliverability.
Strategic subdomain usage for email deliverability
Strategic use of subdomains can be a powerful tactic to manage your SPF DNS lookup count and improve email deliverability. Instead of sending all email traffic from your main domain (e.g., yourcompany.com), you can segment your email streams using different subdomains, such as marketing.yourcompany.com for campaigns and transactional.yourcompany.com for automated messages. This segmentation helps isolate your sender reputation.
One of the primary benefits of using subdomains is that each subdomain can have its own independent SPF record. This allows you to spread out the required DNS lookups across multiple records, ensuring that no single record exceeds the 10-lookup limit. For instance, your marketing subdomain can have an SPF record tailored to your marketing email service provider, while your transactional subdomain has one for your transactional email provider. This helps improve your email deliverability.
However, it's crucial to understand that switching to a new subdomain, or even just adding a new one, can impact deliverability. Each new sending domain or subdomain needs to build its own sending reputation from scratch. This involves a warming-up process, gradually increasing email volume to establish trust with ISPs. Starting with low volumes and slowly scaling up helps build a positive reputation and prevents your emails from being flagged as suspicious. For more on this, consider when to use subdomains for sending.
Moreover, while subdomains offer flexibility, avoid using cousin domains, which are separate domains that look similar to your main one (e.g., your-company.com instead of yourcompany.com). These can be perceived as phishing attempts and severely damage your brand reputation.
Using your main domain
Utilizing your organizational domain (e.g., company.com) for all email, including marketing, leverages your established brand reputation. However, this approach carries a higher risk because poor email practices (e.g., high bounce rates, spam complaints) directly affect the primary domain's reputation, potentially impacting all email communications.
Reputation Impact: Any issues from marketing emails can directly harm your core domain's standing.
SPF Management: Can easily hit the 10 DNS lookup limit with multiple sending services.
Risk Level: Higher, as blacklisting (or blocklisting) impacts all email traffic.
Using subdomains
Employing subdomains (e.g., marketing.company.com) for distinct email types helps isolate sender reputation. For example, if your marketing emails encounter issues, it primarily affects the marketing subdomain's reputation, leaving your main domain's transactional email reputation intact. This also helps with SPF records for email marketing.
Reputation Impact: Issues are contained to the specific subdomain, protecting the main domain.
SPF Management: Each subdomain gets its own SPF record, easily bypassing the 10-lookup limit.
Risk Level: Lower for the main brand, as only the specific subdomain is affected by blocklisting.
Optimizing your SPF record and DNS for deliverability
To effectively manage your SPF record and DNS lookups, prioritize minimizing the number of `include` mechanisms. Each `include` statement requires an additional DNS lookup, quickly contributing to the 10-lookup limit. If you use multiple third-party email service providers, consolidate them where possible or consider alternatives that allow you to specify IP addresses directly rather than domain names that require further lookups. For a deeper dive into mitigating this, refer to this guide on SPF DNS lookup limits.
For organizations with a large number of sending sources, flattening your SPF record can be an effective strategy. SPF flattening involves resolving all `include` mechanisms to their corresponding IP addresses or CIDR blocks and listing them directly in your SPF record. While this bypasses the 10-lookup limit, it requires regular maintenance to ensure the IP addresses remain current. Alternatively, if your email volume justifies it, using dedicated IP addresses for different email streams (e.g., marketing vs. transactional) can simplify SPF management significantly by only requiring one or two specific IP entries.
Regular auditing of your DNS records is non-negotiable. Email service providers and even your own sending infrastructure can change their IP ranges, invalidating existing SPF entries. Periodically review your SPF, DKIM, and DMARC records to ensure they accurately reflect your current sending setup. This proactive approach helps prevent unexpected deliverability issues and protects your sender reputation. It's also wise to implement blocklist monitoring to quickly identify if your IP or domain gets listed.
Finally, ensure that your email authentication standards, including SPF, DKIM, and DMARC, are robustly implemented. These protocols work together to verify the legitimacy of your emails and are increasingly critical for achieving high inbox placement rates, especially with new requirements from major mailbox providers. Refer to our best practices for setting up email authentication.
Mechanism
Description
DNS Lookup Impact
a
Checks the A record for the sending host.
Counts as 1 DNS lookup.
mx
Checks the MX records for the current domain.
Counts as 1 DNS lookup.
ptr
Performs a PTR record lookup. Generally discouraged due to potential for abuse.
Counts as 1 DNS lookup.
exists
Checks if a domain has any A record. Often used with SPF macros.
Counts as 1 DNS lookup.
include
Authorizes another domain's SPF record. Each nested include counts as a lookup.
Counts as 1 DNS lookup per domain.
redirect
Points to another domain's SPF record. Entirely replaces the current SPF.
Counts as 1 DNS lookup.
ip4/ip6
Explicitly lists authorized IP addresses or IP ranges.
Does NOT count as a DNS lookup.
Regularly audit your SPF records
Perform monthly or quarterly reviews of your SPF record. This practice helps ensure it remains compliant with the 10-lookup limit and accurately reflects all authorized sending sources. Validate your SPF records frequently to avoid DNS lookup errors and remove any outdated or unused IP addresses and includes.
Views from the trenches
Best practices
Use subdomains for different email streams, especially for marketing emails, to isolate sending reputation and manage SPF lookups effectively.
Regularly audit your SPF records to ensure they do not exceed the 10 DNS lookup limit and accurately reflect all authorized sending sources.
Implement DMARC alongside SPF and DKIM for comprehensive email authentication and to gain visibility into your email sending practices.
Warm up new subdomains or sending IPs gradually by starting with low volumes and slowly increasing them to build a positive sender reputation with mailbox providers.
Common pitfalls
Exceeding the 10 DNS lookup limit in your SPF record, which leads to a "PermError" and causes SPF authentication failures.
Using "cousin domains" that look similar to your main brand but are distinct, as this can be perceived as phishing and damage your brand's trust.
Switching sending domains or subdomains without proper planning and warming up, which can negatively impact deliverability due to a lack of established reputation.
Not regularly checking for unwanted IP addresses or outdated "include" mechanisms in your SPF record, leading to unnecessary lookups or security vulnerabilities.
Expert tips
Consider replacing 'include' mechanisms with specific IP addresses in your SPF record where feasible to reduce DNS lookup count, though this requires more maintenance.
If your volume is low (e.g., 10k emails/month), a shared IP may be more suitable initially, as dedicated IPs require consistent volume to maintain a good reputation.
There's no single universal answer; the best approach depends on your specific sending volume, infrastructure, and risk tolerance.
Always handle bounces and complaints diligently, regardless of whether you're using a main domain or a subdomain, as these directly affect deliverability.
Expert view
Expert from Email Geeks says there is no single answer for every situation when it comes to DNS records and deliverability, as specific details matter.
2019-09-30 - Email Geeks
Marketer view
Marketer from Email Geeks says that changing 'include' parts to specific IP addresses can sometimes work, and using a subdomain is generally a correct solution to the SPF lookup limit issue.
2019-09-30 - Email Geeks
Navigating DNS for optimal email delivery
Mastering DNS lookups, optimizing SPF records, and strategically leveraging subdomains are fundamental pillars of successful email deliverability. By understanding the critical 10 DNS lookup limit for SPF and implementing proactive management strategies, you can significantly enhance your sender reputation and ensure your emails reach their intended recipients.
A well-configured DNS infrastructure not only boosts deliverability but also strengthens your domain's defense against spoofing and phishing attacks. Continuously monitor your email performance and DNS settings to adapt to evolving email ecosystem requirements and maintain optimal inbox placement.
