Skip to content
All articles
email By Peter, Edos Solutions 24 September 2025 4 min read

The SPF 10-lookup limit: why it breaks email delivery

When you publish an SPF record, you list which mail servers can send email on behalf of your domain. Most of those listings come via include: statements referencing SPF records from cloud services — your CRM, support desk, transactional mail provider.

Each include: triggers a DNS lookup. RFC 7208 limits SPF evaluation to 10 DNS lookups total. Exceed that limit and the receiving server is allowed to treat your SPF as permanently erroring — returning permerror — which most providers treat the same as an SPF fail.

Why this accumulates

SPF records rarely start broken. They grow incrementally as services are added:

  • Exchange Online: include:spf.protection.outlook.com
  • Mailchimp: include:servers.mcsv.net
  • Salesforce: include:_spf.salesforce.com
  • Zendesk: include:mail.zendesk.com
  • Xero: include:_spf.xero.com

Each include: may contain nested include: statements, each costing another lookup. A record that looks like 5 includes can easily resolve to 12–15 actual lookups.

How to count your lookups

Trace the full include chain manually with dig:

dig TXT yourdomain.com

For each include: found, repeat for that domain. Count every include:, redirect=, a and mx mechanism — each is one lookup. ip4: and ip6: statements cost nothing.

Alternatively, use the Email Authentication Checker — it resolves your SPF record and reports the full include chain with a lookup count.

How to fix it

Remove unused includes. Check each service listed — is it still actively sending as your domain? Many organisations keep includes for services retired years ago.

Flatten your SPF record. Instead of include:servers.mcsv.net, look up what IP ranges that resolves to and list them directly as ip4: statements. This eliminates the lookup cost for that service. The trade-off: if the provider changes their IP ranges you need to update your record.

Restructure nested includes. If multiple services include the same third-party SPF records, consolidate.

Use SPF macros. For high-volume senders with large IP ranges, macros allow per-message lookup evaluation without pre-publishing all IPs. This requires receiver support, which most providers have.

The right target

Aim for 7 or fewer lookups. This leaves headroom for future services and handles providers that enforce stricter limits than the RFC requires.

After any SPF change, wait for DNS propagation (check your TTL) and re-verify with the Email Auth Checker.

Need help with your email infrastructure?

Talk to an engineer
All articles Checklists & guides Email auth checker Blacklist checker