What Does "Too Many DNS Lookups" Mean?
SPF (Sender Policy Framework) has a strict 10 DNS lookup limit, defined in RFC 7208. When your SPF record exceeds this limit, email servers return a PermError and may reject your emails entirely.
Each of these mechanisms counts as one DNS lookup:
include:a:mx:redirect=
The tricky part: nested includes also count. For example, include:_spf.google.com contains 4 additional lookups inside it.
Why Does This Limit Exist?
The 10 lookup limit isn't arbitrary — it serves important purposes:
- Prevents DNS amplification attacks — Without a limit, attackers could craft SPF records that trigger massive DNS queries
- Stops infinite loops — Circular includes could cause endless recursion
- Ensures fast email delivery — Email servers need to verify SPF quickly; too many lookups slow down delivery
How to Count Your SPF Lookups
Let's look at a real example. This SPF record looks innocent:
v=spf1 include:_spf.google.com include:spf.protection.outlook.com include:sendgrid.net include:servers.mcsv.net ~allBut here's the actual lookup count:
- include:_spf.google.com→4 lookups (nested)
- include:spf.protection.outlook.com→2 lookups
- include:sendgrid.net→1 lookup
- include:servers.mcsv.net→2 lookups
Total: 9 lookups — just under the limit. Add one more service and you're over.
How to Fix It (3 Methods)
Method 1: Remove Unused Includes
The easiest fix. Audit which services actually send email for your domain:
- Check if you still use that old CRM
- Remove test services you forgot about
- Consolidate email sending to fewer platforms
Method 2: SPF Flattening
Replace include: statements with the actual IP addresses they resolve to. This reduces lookups to zero for that service.
Before:
include:sendgrid.netAfter (flattened):
ip4:167.89.0.0/17 ip4:208.117.48.0/20Downside: IP addresses can change. You'll need to monitor and update your SPF record when providers change their IPs.
Method 3: Use a Subdomain
Move some email senders to a subdomain like mail.yourdomain.com or marketing.yourdomain.com.
Each subdomain gets its own SPF record with its own 10 lookup limit. This is ideal for separating transactional email from marketing email.
Common Services and Their Lookup Costs
Use this table to estimate your total lookup count:
| Service | Lookups | Include Statement |
|---|---|---|
| Google Workspace | 4 | include:_spf.google.com |
| Microsoft 365 | 2 | include:spf.protection.outlook.com |
| SendGrid | 1 | include:sendgrid.net |
| Mailchimp | 2 | include:servers.mcsv.net |
| Amazon SES | 1 | include:amazonses.com |
| Zendesk | 2 | include:mail.zendesk.com |
| HubSpot | 1 | include:spf.hubspot.com |
| Salesforce | 2 | include:_spf.salesforce.com |