SPF too many DNS lookups
RFC 7208 limits SPF evaluation to 10 DNS lookups. Exceeding that triggers PermError — receivers cannot validate SPF. Each include:, a, mx, ptr, and exists mechanism in the evaluation chain counts, including nested includes inside delegated records.
Quick fix (3 steps)
- 1
List every `include:` in your SPF record and open each included SPF to count nested lookups — ESP + M365 + Google often exceed 10 together.
- 2
Remove unused includes (old ESPs, retired marketing tools) and consolidate sending through fewer authorized paths.
- 3
If you still exceed 10 lookups, use SPF flattening or split sending across subdomains (e.g., `mail.example.com` for marketing, root domain for corporate mail).
Common questions
Do void lookups count toward the limit?+
No. Void lookups (mechanisms that match no record) do not count, but invalid includes that error may still cause PermError.
Does mx mechanism always count as lookups?+
The mx mechanism triggers a lookup for the MX record; if multiple MX hosts are listed, additional a/aaaa lookups for those hosts may count toward the limit.
Can I have two SPF records?+
No. Multiple SPF TXT records on one domain cause PermError. Merge into a single v=spf1 record.