Quick Answer

SPF 'too long' usually means exceeding the 10 DNS lookup limit, not character length. Fix by removing unused includes, replacing includes with ip4 addresses for static IPs, using SPF flattening services, or splitting senders across subdomains. The DNS lookup limit is the practical ceiling—most records hit it before reaching character limits.

SPF Record Too Long: How to Fix It

By Braedon·Mailflow Authority·Email Authentication·Updated 2026-03-31

Understanding SPF Limits

SPF has two types of limits:

Character Limit

DNS TXT records have a 255-character limit per string. Multiple strings can be concatenated (up to ~450 characters practical limit). This is rarely the problem.

DNS Lookup Limit (The Real Issue)

SPF allows maximum 10 DNS lookups. This is what "SPF record too long" usually means—not character length.

Mechanisms that count:

  • include — 1 + nested includes
  • a — 1
  • mx — 1 + MX server count
  • redirect — 1 + target's lookups
  • exists — 1

Mechanisms that don't count:

  • ip4 / ip6 — 0
  • all — 0

Diagnosing the Problem

Check your lookup count:

# Get your SPF record
dig TXT yourdomain.com +short | grep spf

# Or use MXToolbox

MXToolbox SPF Lookup shows total lookups. If you see "Too many DNS lookups" or count exceeds 10, you've hit the limit.

Example problem record:

v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org include:servers.mcsv.net include:_spf.hubspot.com ~all

This looks like 5 includes, but nested lookups push it over 10:

  • _spf.google.com: ~4 lookups
  • sendgrid.net: ~3 lookups
  • mailgun.org: ~2 lookups
  • servers.mcsv.net: ~2 lookups
  • _spf.hubspot.com: ~2 lookups
  • Total: ~13 lookups → permerror

Fix 1: Remove Unused Includes

Audit which services actually send email for your domain. Common culprits:

  • Old ESPs you no longer use
  • Marketing tools from past campaigns
  • Test services never removed
# Before (too many lookups)
v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org include:servers.mcsv.net include:_spf.hubspot.com ~all

# After (removed Mailgun and Mailchimp you don't use anymore)
v=spf1 include:_spf.google.com include:sendgrid.net include:_spf.hubspot.com ~all

Practitioner note: In every SPF audit I do, at least one include is for a service the client stopped using years ago. Check your actual sending services, not just what's in the SPF record.

Fix 2: Replace Includes with IP Addresses

If a sender uses static, dedicated IPs, replace their include with ip4:

# Before (3+ lookups)
include:sendgrid.net

# After (0 lookups)
ip4:167.89.0.0/17 ip4:198.2.128.0/24

Warning: Only do this for IPs you know won't change. ESP shared IPs change frequently. Only dedicated IPs you control or that your ESP confirms are static should be hardcoded.

Fix 3: SPF Flattening

Flattening resolves all includes to their IP addresses, eliminating nested lookups.

Before flattening:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

After flattening:

v=spf1 ip4:209.85.128.0/17 ip4:74.125.0.0/16 ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:167.89.0.0/17 ip4:198.2.128.0/24 ~all

Flattening Services

Because ESP IPs change, manual flattening requires constant updates. Use automated services:

  • AutoSPF — Automatically flattens and updates
  • PowerDMARC — Includes flattening in their suite
  • dmarcian — Offers SPF management
  • EasySPF — Dedicated flattening service

These services publish a single include that contains your flattened IPs, updating automatically as ESPs change their infrastructure.

Practitioner note: DIY flattening works until it doesn't. I've seen clients flatten Google's SPF, then get bitten when Google added new IP ranges three months later. Use an automated service or be prepared for ongoing maintenance.

Fix 4: Use Subdomains

Split senders across subdomains, each with its own SPF record:

Root domain (transactional):

yourdomain.com
v=spf1 include:_spf.google.com include:sendgrid.net ~all

Marketing subdomain:

marketing.yourdomain.com
v=spf1 include:_spf.klaviyo.com include:servers.mcsv.net ~all

Sales subdomain:

sales.yourdomain.com
v=spf1 include:_spf.hubspot.com include:_spf.salesforce.com ~all

Configure each ESP to send from its designated subdomain. This works well when you have clear separation between sending types.

Fix 5: Optimize Mechanism Usage

Remove unnecessary mechanisms:

Remove a if your web server doesn't send email:

# Before
v=spf1 a include:_spf.google.com ~all

# After
v=spf1 include:_spf.google.com ~all

Remove mx if your MX servers don't send outbound:

# Before
v=spf1 mx include:_spf.google.com ~all

# After
v=spf1 include:_spf.google.com ~all

Verification After Changes

After implementing any fix:

  1. Wait for DNS propagation (15-30 minutes)
  2. Check with MXToolbox SPF Lookup
  3. Verify lookup count is ≤10
  4. Send test emails from all services
  5. Check headers for spf=pass
  6. Monitor DMARC reports for unexpected failures

Character Limit Solutions

If you genuinely hit the ~450 character limit (rare):

Use shorter include paths: Some ESPs offer compact SPF records. Check their documentation.

Multiple TXT strings: DNS allows concatenating strings. Your DNS provider may handle this automatically for long values.

"v=spf1 include:_spf.google.com " "include:sendgrid.net ~all"

Both strings are concatenated during evaluation.

For the lookup limit issue, see the SPF 10-lookup limit guide. For reducing lookups via IP resolution, see SPF flattening. For the subdomain approach, see SPF, DKIM, DMARC for multiple senders. If you need help optimizing a complex SPF record with multiple senders, schedule a consultation. I'll audit your setup and build a clean configuration that stays under all limits.

Sources

  • RFC 7208: Sender Policy Framework (SPF), Section 4.6.4 — DNS Lookup Limits
  • RFC 7208: Section 3.4 — Record Size
  • dmarcian: SPF Record Length
  • MXToolbox: SPF Record Check

v1.0 · March 2026

Frequently Asked Questions

What is the SPF record length limit?

SPF has two limits: 255 characters per DNS string (concatenated strings allowed up to ~450 chars), and 10 DNS lookups. The lookup limit is what most people hit. Each include, a, mx, and redirect counts toward the lookup limit.

How do I reduce SPF DNS lookups?

Remove unused includes, replace ESP includes with ip4 addresses (for static IPs only), use SPF flattening services, or split senders across subdomains with separate SPF records.

What is SPF flattening?

Flattening resolves all includes to their underlying IP addresses, eliminating nested lookups. Instead of include:sendgrid.net (3 lookups), you'd have ip4:xxx.xxx.xxx.xxx (0 lookups). Requires regular updates as ESP IPs change.

Can I have multiple SPF records to fit more senders?

No. Multiple SPF records cause permerror. You must have exactly one SPF record. Use subdomains if you need to split senders—each subdomain can have its own SPF record.

What happens if SPF exceeds 10 lookups?

The receiving server returns permerror and SPF fails. Your email may be rejected or flagged as spam depending on DMARC policy and other signals.

Want this handled for you?

Free 30-minute strategy call. Walk away with a plan either way.

Related Articles

ARC: Solving the DMARC Problem with Email Forwarding

ARC Sealing Explained: How Intermediaries Preserve Authentication

BIMI on Apple Mail: How It Differs from Gmail

BIMI on Gmail: Requirements and Timeline

What is BIMI? Complete Guide to Brand Indicators for Message Identification