SPF too many DNS lookups — how to fix it
SPF has a hard limit of 10 DNS-resolving mechanisms. If your SPF record requires more than 10 lookups, receiving servers are allowed to treat it as a permanent failure — even if the sending server is legitimate. This silently breaks email delivery.
Why the limit exists
SPF validation happens in real time while a mail server is deciding whether to accept your email. Each include:, a:, mx:, redirect=, and exists: mechanism in your record causes a DNS lookup. Allowing unlimited lookups would make SPF validation a vector for DNS amplification attacks, so the RFC hard-limits it to 10.
How to count your lookups
Every one of the following counts as one lookup:
include:_spf.google.com→ 1 lookup (and each include can chain more)a:,mx:→ 1 eachredirect=→ 1 (plus whatever is inside)
Run a free check on your domain to see your current count:
Check lookup count →How to fix it
Option 1 — Remove services you no longer use
Audit every include: in your record. If you stopped using a particular email service, remove its include. This is the cleanest fix.
Option 2 — Flatten your SPF record
Replace nested includes with the actual IP addresses they resolve to. Instead of:
v=spf1 include:_spf.google.com include:servers.mcsv.net -all
You would write:
v=spf1 ip4:209.85.128.0/17 ip4:74.125.0.0/16 ip4:198.2.128.0/18 -all
Downside: IP addresses change. You will need to update your record when providers update their IP ranges.
Option 3 — Use an SPF flattening service
Services like PowerDMARC, MXToolbox, or dmarcian can automatically flatten and keep your SPF record up to date within the 10-lookup limit.
Verify the fix
After updating your record, run the check again to confirm you are within the 10-lookup limit. Changes propagate within 15–60 minutes typically.
Check your domain's current SPF lookup count and overall email security score.
Check my domain — free