SPF’s 10 DNS Lookup Limit: Causes, Diagnosis, and Fixes
Understand which SPF mechanisms count toward the 10-lookup limit, how recursive includes cause failures, and how to fix an oversized SPF policy safely.
SPF permits at most 10 DNS-causing terms during one evaluation. The total is recursive: lookups triggered by nested include and redirect records count too. If evaluation exceeds the limit, the result is permerror; receivers cannot reliably treat the sender as SPF-authorized.
What counts toward ten?
The include, a, mx, ptr, exists, and redirect mechanisms/modifiers can cause DNS queries and count. ip4, ip6, and all do not. A single include may expand into several more counted terms, so counting only the visible record is incorrect. The deprecated ptr mechanism should not be used.
Consider:
v=spf1 include:_spf.google.com include:mail.vendor.example mx -all
The visible record has three DNS-causing terms, but both included policies must be traversed. If Google’s policy consumes four and the vendor consumes five, evaluation reaches twelve.
How to diagnose it
Start at the organizational domain’s TXT SPF record. Follow every include and redirect, count each DNS-causing term, and detect loops. Also record void lookups—queries returning no usable answer—because SPF separately limits those. Test the actual domain used by the message’s envelope sender; it may differ from the visible From domain.
Do not rely on the number of TXT strings or the number of IP addresses returned. The limit concerns mechanism evaluation, not raw DNS packets.
Safe fixes
Remove providers that no longer send mail, consolidate duplicate includes, and ask vendors for the narrowest supported authorization. Prefer stable ip4 or ip6 ranges only when you control their lifecycle; copying a vendor’s current addresses creates silent drift when they change.
“SPF flattening” replaces includes with IP ranges. It can reduce live lookups but transfers update responsibility to you. Use it only with automated refresh, change review, and rollback. Never delete a legitimate sender merely to make the counter green—inventory first, change second, then verify DMARC alignment and real delivery.
Reference
RFC 7208 section 4.6.4 defines the processing limit, while section 11.1 describes DNS-query amplification concerns.
Use the free checker below to resolve the complete include chain and see the current lookup count.
Check a domain for free
Audit email authentication, TLS, HSTS, and security headers. No signup required.
Checking the domain's records…