SPF Lookup Limit

SPF (Sender Policy Framework) has a hard limit of 10 DNS lookups per email, defined in RFC 7208. This limit protects receiving mail servers from excessive DNS queries. If your SPF record exceeds this limit, it results in an SPF permerror, which can cause legitimate email to fail authentication and be marked as spam (or even rejected).

Why Does the Limit Exist?

• Protects server resources: Each DNS lookup consumes time and processing power on the receiving mail server.

• Prevents abuse: The limit helps stop denial-of-service (DoS) attacks that could overload mail systems with excessive lookups.

What Counts Toward the Limit?

The following SPF mechanisms and modifiers trigger DNS lookups and count toward the 10-lookup limit:

• include – Loads SPF records from other domains.

• a – Looks up A/AAAA records for a hostname.

• mx – Looks up MX records and their corresponding IPs.

• exists – Performs a DNS query to check for a hostname.

• redirect – Redirects the SPF check to another record.

How to Stay Within the Limit

• Use direct IPs: Replace includes with ip4 or ip6 entries when possible.

• Flatten carefully: Convert nested includes into resolved IP ranges (with regular maintenance). Click here for more information about MxToolbox's SPF Flattening feature.

• Remove unused senders: Delete SPF entries for services you no longer use.

• Segment with subdomains: Assign separate SPF records to different mail streams to gain additional lookup budgets.

• Validate regularly: Use MxToolbox's free SPF Record Check tool to identify lookup counts and configuration errors before they impact delivery. Or, if you need help setting up your SPF record, utilize our free SPF Record Generator tool.

Exceeding the SPF 10-lookup limit causes authentication failures that affect deliverability. Keeping SPF records lean, current, and well-organized ensures your email continues to pass authentication and reach the inbox.