"SPF \"Too Many DNS Lookups\" — How to Fix PermError"
What Is the SPF 10 DNS Lookup Limit?
SPF records are limited to 10 DNS lookups. Every include:, a:, mx:, and redirect= mechanism in your SPF record triggers a DNS lookup. When you exceed 10 total lookups, receiving mail servers return a PermError — which means SPF fails completely, and your emails lose SPF-based authentication.
This is not a soft guideline. It is defined in RFC 7208, Section 4.6.4 and strictly enforced by most mail servers.
What Counts as a DNS Lookup?
Not every part of an SPF record triggers a lookup. Here is what counts and what does not:
| Mechanism | Counts as Lookup? |
|---|---|
include: | Yes (1 lookup + nested lookups) |
a: | Yes |
mx: | Yes (1 + 1 per MX record) |
redirect= | Yes |
exists: | Yes |
ip4: | No |
ip6: | No |
all | No |
The critical detail: include: mechanisms are recursive. If include:_spf.google.com itself contains 3 more include: directives, that is 4 lookups total, not 1.
How to Count Your Current Lookups
Run this command to see your SPF record:
dig +short TXT yourdomain.com | grep spf
Then check each include: recursively. For example, a common configuration:
v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org include:_spf.salesforce.com include:spf.protection.outlook.com -all
Here is how the lookups add up:
| Mechanism | Direct Lookups | Nested Lookups | Total |
|---|---|---|---|
include:_spf.google.com | 1 | 3 | 4 |
include:sendgrid.net | 1 | 1 | 2 |
include:mailgun.org | 1 | 1 | 2 |
include:_spf.salesforce.com | 1 | 1 | 2 |
include:spf.protection.outlook.com | 1 | 1 | 2 |
| Total | 12 |
This exceeds the 10 lookup limit by 2, causing a PermError.
How to Fix It
Option 1: Replace include: with ip4: / ip6: Addresses
For services with stable IP ranges, you can replace the include: with direct IP addresses:
v=spf1 ip4:198.51.100.0/24 include:_spf.google.com include:sendgrid.net -all
Warning: IP addresses can change. If a provider rotates their IPs, your SPF record will silently break. Only use this for providers with documented, stable IP ranges.
Option 2: Use an SPF Flattening Service
SPF flattening tools resolve all include: directives into their underlying IP addresses automatically and keep the record updated. This converts a 12-lookup record into a 0-lookup record (all ip4:/ip6: entries).
The tradeoff is that you depend on the flattening service to keep your record current when providers change IPs.
Option 3: Move Sending Services to Subdomains
This is often the cleanest solution. Instead of sending all email from yourdomain.com, use subdomains for different services:
marketing.yourdomain.com → SendGrid
support.yourdomain.com → Zendesk
mail.yourdomain.com → Mailgun
yourdomain.com → Google Workspace (primary email)
Each subdomain gets its own SPF record with its own 10-lookup budget. Your root domain stays clean and well within the limit.
Important: Configure a DMARC record for each subdomain, or set sp= (subdomain policy) on your root DMARC record to cover them all.
Option 4: Remove Unused Services
Audit your SPF record. Are all those include: directives still active? Common culprits:
- Old marketing platforms you no longer use
- CRM tools from a previous vendor
- Legacy transactional email services
- Test accounts that were never removed
Removing one unnecessary include: can free up 2–4 lookups.
How Do I Know If I Have a PermError?
Check your DMARC aggregate reports — failed SPF results with a permerror status indicate you have hit the limit. You can also test directly:
dig +short TXT yourdomain.com | grep spf
Then use an online SPF checker to validate your record and count lookups.
FAQ
Does the 10 lookup limit apply to subdomains separately?
Yes. Each domain and subdomain has its own independent 10-lookup budget. This is why moving services to subdomains is an effective fix.
What happens when SPF returns a PermError?
The SPF check fails entirely. It is treated as neither pass nor fail — it is an error. Most DMARC implementations treat a PermError as an SPF failure, which means DMARC will also fail unless DKIM alignment passes.
Can I split my SPF record into multiple TXT records?
No. You are only allowed one SPF TXT record per domain. Having two will cause both to fail. If you need more capacity, use subdomains or flatten your record.
Do ip4: and ip6: entries have a limit?
There is no lookup limit on IP entries, but the entire SPF record must fit within a single DNS TXT record (450 bytes recommended, 512 bytes hard limit per string). In practice, you can usually fit around 10–12 IP ranges before hitting the size limit. Use multiple strings within the same TXT record if needed.
Will Google and Yahoo reject emails with SPF PermError?
As of 2024, both Google and Yahoo require valid SPF or DKIM for all senders and DMARC for bulk senders. An SPF PermError means SPF is not valid, so you will rely entirely on DKIM for authentication. Fix the PermError to maintain both authentication paths.