Quick Answer

SPF allows a maximum of 10 DNS lookups across all mechanisms (include, a, mx, exists). Exceeding this limit causes a 'permerror' — SPF fails for ALL email from your domain, silently. Google Workspace alone uses 3-4 lookups. Add 3 more services and you're at the limit. Fix: 1) Remove includes for services you no longer use, 2) Use subdomain delegation (different subdomains with separate SPF records), 3) SPF flattening (replace includes with IP addresses using a tool like AutoSPF). Subdomain delegation is the most reliable long-term solution.

SPF 10 DNS Lookup Limit: What It Is and How to Fix It

By Braedon·Mailflow Authority·Email Authentication·Updated 2026-03-31

The Problem

Modern businesses use multiple email services:

ServiceSPF IncludeLookup Cost
Google Workspaceinclude:_spf.google.com3-4 lookups
SendGridinclude:sendgrid.net1 lookup
Klaviyoinclude:_spf.klaviyo.com1-2 lookups
HubSpotinclude:spf.hubspot.com2 lookups
Zendeskinclude:mail.zendesk.com1-2 lookups
Total8-11 lookups

At 5 services, you're at or over the limit. Add one more and SPF breaks for everything.

How to Count Lookups

Quick Method: MXToolbox

  1. Go to mxtoolbox.com/spf.aspx
  2. Enter your domain
  3. Look at "Lookup count" in the results
  4. If > 10: you have a problem

Manual Method: Follow the Chain

v=spf1 include:_spf.google.com include:sendgrid.net -all

include:_spf.google.com → 1 lookup
  → _spf.google.com includes _netblocks.google.com → 1 lookup
  → _spf.google.com includes _netblocks2.google.com → 1 lookup  
  → _spf.google.com includes _netblocks3.google.com → 1 lookup
include:sendgrid.net → 1 lookup

Total: 5 lookups for just 2 services

Solution 1: Prune Unused Includes

The simplest fix. Remove services you no longer use:

  1. List every include: in your SPF record
  2. For each: "Do we still send email through this service?"
  3. Remove includes for inactive services
  4. Save the updated record
  5. Verify with MXToolbox

Common orphaned includes: old ESPs you migrated away from, deactivated CRM tools, test services that were never removed.

Solution 2: Subdomain Delegation (Best Long-Term)

Route different services through different subdomains. Each gets its own SPF.

Root domain:

yourdomain.com TXT v=spf1 include:_spf.google.com -all

3-4 lookups. Room to spare.

Marketing subdomain:

marketing.yourdomain.com TXT v=spf1 include:_spf.klaviyo.com -all

1-2 lookups. Separate budget.

Transactional subdomain:

mail.yourdomain.com TXT v=spf1 include:sendgrid.net -all

1 lookup. Separate budget.

Support subdomain:

support.yourdomain.com TXT v=spf1 include:mail.zendesk.com -all

1-2 lookups. Separate budget.

Each subdomain stays well under 10 lookups. No conflicts. Clean isolation.

Trade-off: Your From: address becomes [email protected] instead of [email protected]. The deliverability benefit outweighs the branding adjustment.

Full guide: SPF, DKIM, DMARC for multiple senders.

Solution 3: SPF Flattening

Replace include: mechanisms with the resolved IP addresses:

Before flattening (5+ lookups):

v=spf1 include:_spf.google.com include:sendgrid.net -all

After flattening (0 lookups for IPs):

v=spf1 ip4:209.85.128.0/17 ip4:74.125.0.0/16 ip4:167.89.0.0/17 -all

The catch: ESP IPs change periodically. If SendGrid adds new IPs and your flattened record doesn't include them, those emails fail SPF.

Flattening tools:

  • AutoSPF: Automated flattening with automatic updates
  • EasyDMARC: SPF management with flattening
  • dmarcian: SPF flattening as part of their platform

These tools re-flatten automatically when IPs change. Essential if using flattening.

Recommendation: Subdomain delegation is more reliable. Flattening is a workaround when subdomains aren't feasible.

Checking for Permerror

If your SPF exceeds 10 lookups, you have a permerror right now. Check:

  1. MXToolbox SPF Lookup → shows "Too many DNS lookups" error
  2. Send test email to Gmail → Show Original → check for spf=permerror
  3. DMARC reports → SPF result shows permerror for all senders

If you find permerror: Fix immediately. SPF is failing for ALL your email. Every email you send has broken authentication.

Practitioner note: The 10-lookup limit is the most common SPF issue I fix. Businesses add services over years without checking lookup count. The SPF record works fine with 3 services. They add a 4th and 5th over two years. On the 6th, they hit 11 lookups. SPF silently fails. Deliverability drops for weeks before anyone notices. Check your lookup count today.

Practitioner note: I recommend subdomain delegation over flattening for almost every client. Flattening requires ongoing maintenance (IP changes) and introduces a dependency on a third-party tool. Subdomain delegation is static — once configured, it doesn't need updates unless you change services.

If you're hitting the SPF lookup limit and need help designing the right solution, schedule a consultation.

Sources

  • RFC 7208: SPF (Section 4.6.4 — DNS Lookup Limits)
  • MXToolbox: SPF Lookup

v1.0 · March 2026

Frequently Asked Questions

How do I count my SPF lookups?

Use MXToolbox SPF Lookup (mxtoolbox.com/spf.aspx). Enter your domain — it counts total lookups including nested includes. Each include:, a, mx, and exists mechanism costs at least 1 lookup. ip4: and ip6: don't count. The total across all mechanisms must be ≤ 10.

What happens when I exceed 10 lookups?

SPF returns a 'permerror' result. This means SPF effectively FAILS for every email you send — not just for the extra services. It's a complete SPF failure that affects all senders in your record. It happens silently — you won't get an error message.

Which mechanisms count toward the limit?

Count: include (1+, may chain), a (1), mx (1+, resolves hostnames), exists (1), redirect (1). Don't count: ip4, ip6, all. The 'include' chains are the killer — include:_spf.google.com internally includes 2-3 more lookups.

What is SPF flattening?

SPF flattening replaces include: mechanisms with the actual IP addresses they resolve to. Since ip4: doesn't cost lookups, this eliminates the lookup problem. The catch: ESP IPs change over time. Flattening must be automated or regularly updated. Tools: AutoSPF, EasyDMARC, dmarcian.

What is subdomain delegation for SPF?

Instead of putting all services on your root domain's SPF, route different services through different subdomains. Each subdomain gets its own SPF record with its own 10-lookup budget. Example: marketing.yourdomain.com SPF only includes Klaviyo. mail.yourdomain.com SPF only includes Postmark.

Want this handled for you?

Free 30-minute strategy call. Walk away with a plan either way.

Related Articles

ARC: Solving the DMARC Problem with Email Forwarding

ARC Sealing Explained: How Intermediaries Preserve Authentication

BIMI on Apple Mail: How It Differs from Gmail

BIMI on Gmail: Requirements and Timeline

What is BIMI? Complete Guide to Brand Indicators for Message Identification