The SPF 10-lookup limit
RFC 7208 ยง4.6.4 says receivers must abort SPF evaluation after 10 DNS lookups. The result: PermError. Your SPF record is silently ignored as if it didn't exist. Most outages here are not discovered until weeks later.
What counts as a lookup
These mechanisms each consume one lookup when receivers evaluate your record:
include:domain.com— one lookup, plus every lookup inside the included record (recursive).a/mx— one lookup each.ptr— one lookup (andptris deprecated; don't use it).exists:domain.com— one lookup.redirect=domain.com— one lookup, plus everything in the target record.
What doesn't count
ip4:andip6:— zero lookups (the value is the answer).all,v=spf1— zero lookups.
What each major ESP costs you
| Provider | Include | Lookups |
|---|---|---|
| Google Workspace / Gmail | _spf.google.com | 1 |
| Microsoft 365 / Outlook | spf.protection.outlook.com | 1 |
| SendGrid | sendgrid.net | 2 |
| Mailchimp / Mandrill | servers.mcsv.net | 2 |
| Mailgun | mailgun.org | 2 |
| Amazon SES | amazonses.com | 1 |
| HubSpot | _spf.hubspotemail.net | 1 |
| Salesforce | _spf.salesforce.com | 2 |
| Klaviyo | _spf.klaviyo.com | 1 |
| Zoho Mail | zoho.com | 1 |
Lookup counts can change when an ESP restructures their SPF macros. Run the SPF Checker for live numbers.
How to fix an over-limit record
- Audit. Are you including ESPs you stopped using?
- Consolidate. If two tools both send through SendGrid, you only need to include SendGrid once.
- SPF flattening (last resort). Resolve the includes once and inline the resulting
ip4:entries. Cheap on lookups, but you have to re-flatten when the provider rotates IPs. - Subdomain delegation. Move bulk senders to a subdomain (e.g.
m.example.com) so the apex doesn't carry their SPF cost.