Wraps Logo
Email Authentication Deep Dive

The SPF 10-Lookup Limit: Why Your Email Might Be Failing

SPF looks simple until you hit the 10-lookup limit. Suddenly your emails fail DMARC, and you're debugging DNS records at 2am. Here's everything you need to know.

10
Max DNS lookups
PermError
Result when exceeded
RFC 7208
The specification

What is SPF?

Sender Policy Framework (SPF) is a DNS-based email authentication method that specifies which mail servers are authorized to send email on behalf of your domain.

When a receiving server gets an email from hello@yourcompany.com, it checks the DNS for yourcompany.com's SPF record to see if the sending server is authorized.

Sending Server
192.0.2.100
DNS Lookup
TXT @ yourcompany.com
SPF Check
Is 192.0.2.100 allowed?
Example SPF Record
v=spf1 include:_spf.google.com include:amazonses.com -all

The 10-Lookup Problem

RFC 7208 limits SPF to 10 DNS lookups. This isn't a suggestion—it's a hard limit enforced by receiving servers. Exceed it, and your SPF evaluation returns PermError.

What Happens at 11 Lookups

When your SPF record exceeds 10 lookups, receiving servers return a PermError. This is treated as an SPF failure, which causes DMARC to fail if you're using DMARC (and you should be). Your emails may be rejected or sent to spam.

Why Does This Limit Exist?

The limit prevents denial-of-service attacks. Without it, an attacker could craft an SPF record with thousands of nested includes, forcing receiving servers to make endless DNS queries.

It also encourages efficient SPF design. If you need more than 10 lookups, you probably have too many email providers—or you need to use IP addresses directly.

How Lookups Are Counted

Not all SPF mechanisms are equal. Some require DNS lookups, others don't. Understanding this is key to staying under the limit.

Mechanisms That Count

  • include:Each include = at least 1 lookup
  • aLooks up A/AAAA records
  • mxLooks up MX records
  • ptrReverse DNS lookup (deprecated)
  • exists:Checks if record exists
  • redirect=Redirects to another domain

Mechanisms That Don't Count

  • ip4:Direct IPv4 address/CIDR
  • ip6:Direct IPv6 address/CIDR
  • allCatch-all at the end
Pro Tip

If you have dedicated sending IPs, use ip4: or ip6: mechanisms instead of includes to save lookups.

Nested Lookups Add Up

Here's what catches people off guard: include: mechanisms are recursive. When you include Google's SPF record, you're not just adding 1 lookup—you're adding however many lookups are in Google's record too.

Google's SPF Record (Simplified)
v=spf1 include:_netblocks.google.com include:_netblocks2.google.com
       include:_netblocks3.google.com ~all

That's why include:_spf.google.com costs 4 lookups, not 1.

Provider Lookup Costs

Here's how many lookups popular email providers cost. Plan your SPF record accordingly.

ProviderMechanismLookups
ActiveCampaigninclude:emsd1.com1
AWS SESinclude:amazonses.com1
Constant Contactinclude:spf.constantcontact.com1
Google Workspaceinclude:_spf.google.com1
Microsoft 365include:spf.protection.outlook.com1
Postmarkinclude:spf.mtasv.net1
Zendeskinclude:mail.zendesk.com1
Salesforceinclude:_spf.salesforce.com2
SendGridinclude:sendgrid.net2
ConvertKitinclude:convertkit.com3
Customer.ioinclude:customeriomail.com3
Klaviyoinclude:send.klaviyo.com3
Stripeinclude:spf1.stripe.com4
Zohoinclude:zoho.com4
Mailguninclude:mailgun.org5
Freshdeskinclude:email.freshdesk.com7
Common Scenario

Google Workspace (4) + Microsoft 365 (2) + SendGrid (3) + HubSpot (2) = 11 lookups. You're already over the limit with just four providers.

SPF Flattening

SPF flattening resolves include: mechanisms to their actual IP addresses, eliminating the DNS lookups entirely.

Before Flattening

9 lookups
v=spf1 include:_spf.google.com
       include:sendgrid.net
       include:amazonses.com -all

After Flattening

0 lookups
v=spf1 ip4:209.85.128.0/17
       ip4:167.89.0.0/17
       ip4:23.249.208.0/20
       ... (many more IPs) -all
  • Eliminates lookup limit concerns entirely
  • Faster SPF evaluation (no DNS chain to follow)
  • Can include unlimited providers
When to Flatten

Only flatten if you've genuinely exceeded 10 lookups and can't reduce providers. Consider services like Valimail or dmarcian that automate IP monitoring and updates.

SPF Best Practices

Use -all (hard fail) in production

Start with ~all during testing, but switch to -all once verified. Soft fail still allows spoofed email through.

Only authorize what you actually use

Don't add providers "just in case." Every include is a potential lookup and a potential attack vector.

Prefer IP mechanisms for dedicated IPs

If you have static sending IPs, use ip4: or ip6: instead of includes to save lookups.

One SPF record per domain

Multiple SPF records cause evaluation failure. If you need to add providers, merge them into one record.

Monitor with DMARC reports

Set up DMARC with reporting (rua=) to see who's sending as your domain and catch SPF issues early.

Build Your SPF Record

Use our free SPF Record Builder to generate a valid SPF record while tracking your lookup count in real time.

Open SPF BuilderCheck Your Domain

Additional Resources

RFC 7208: Sender Policy Framework (SPF)Related: Your DMARC Policy Is UselessRelated: How to Get Out of AWS SES Sandbox