What is the 10 DNS lookup limit?

During SPF check, every time an email is sent from your domain, your recipient’s email server performs DNS query requests, also known as DNS lookups to check the presence of authorized IP addresses in your DNS and match them to the ones in the received email’s return-path header. However, RFC limits the number of DNS lookups to 10. This is known as the 10 DNS lookup limit.

Am I exceeding SPF Too Many DNS Lookups limit?

If you are worried about exceeding the lookup limit for SPF, you can check your record instantly using our SPF record checker tool.

Fix SPF Permerror: Overcome SPF Too Many DNS Lookups Limit

Maitham Al Lawati

1 year ago

SPF Permerror - SPF Too many DNS lookups

Sender Policy Framework (SPF) is an email authentication method that helps protect your domain from spoofing. But sometimes, you might run into an error called SPF Permerror – also known as an SPF permanent error- usually caused by too many DNS lookups in your SPF record.

Why does this matter? Because if your SPF record breaks, your legitimate emails might land in spam folders or get rejected entirely. This can also cause DMARC to fail, affecting your domain’s overall email security and deliverability.

Hit the 10-lookup limit? Here’s what to do. In this blog, we’ll explain what causes this error and walk you through simple ways to fix it.

Key Takeaways

SPF Permerror indicates that there is a fundamental problem with a domain’s SPF record, preventing accurate evaluation.
Exceeding the 10 DNS lookup limit can cause severe issues, such as email rejection or classification as spam.
Syntax errors in the SPF record can lead to Permerror, necessitating careful formatting and verification.
Oversized SPF records can exceed established character limits, contributing to deliverability issues and potential SPF errors.
Utilizing SPF flattening tools can help optimize records to prevent Permerrors and enhance email authentication.

What is SPF Permerror?

An SPF Permerror is a permanent error in your SPF record, meaning there’s something wrong with it that stops it from working.

A Permerror result is returned by receiving mail servers when your SPF record has a critical issue that makes it impossible to evaluate, such as incorrect syntax, too many DNS lookups (over the 10-limit), or invalid mechanisms. Unlike a regular SPF “fail” (which means an email didn’t pass authentication), a Permerror indicates that the SPF record itself is broken or misconfigured. This not only affects deliverability but can also weaken your DMARC protection if SPF is the only mechanism you’re using to align your email.

Key Differences: SPF Fail Vs SPF Permerror

	SPF Fail	SPF Permerror
What it means	The SPF record was found and evaluated, but the sender is not authorized	The SPF record could not be evaluated due to an error or misconfiguration
Cause	Sender IP not listed in the domain’s SPF record	Broken SPF syntax, too many DNS lookups, or other critical issues
Issue Type	Temporary issue (email not authorized)	Permanent error (SPF record is invalid or unreadable)
Impact	Email may likely be rejected or marked as spam	Email may be rejected or pass through without SPF validation
DMARC alignment	Can cause DMARC fail if SPF is not aligned	Can break DMARC, especially if SPF is your only aligned mechanism
Fix	Go through your sender list to authorize legitimate senders	Requires fixing the SPF record to restore functionality

Why Does SPF Have a 10 DNS Lookup Limit?

You might think the 10 DNS lookup limit in SPF is restrictive, but it’s there for a very good reason.

According to RFC 7208, this limit exists primarily for security and performance purposes. Specifically, it helps protect receiving mail servers from Denial-of-Service (DoS) attacks caused by excessive DNS queries.

Here’s how it could be abused:

A threat actor might create a malicious SPF record that triggers hundreds of DNS lookups by referencing multiple domains or includes. This could be tied to a spoofed domain pretending to be a trusted company. Every time a receiving server tries to validate such an email, it would be forced to resolve all those lookups, slowing down the server or even crashing it.

By capping DNS lookups at 10, SPF helps:

Maintain email processing performance
Protect against resource exhaustion attacks
Improve anti-spoofing reliability by encouraging better SPF record design

What Causes SPF Permerror?

An SPF Permerror can be triggered by several issues, including excessive DNS lookups, syntax errors, misconfigured records, or even overly large SPF entries. Let’s break down the most common causes:

1. SPF Syntax Errors

Incorrect formatting or invalid syntax in the SPF record can lead to a Permerror, preventing proper evaluation.

Common causes:

Missing or misplaced characters (e.g., quotes ” or colons 🙂
Invalid or malformed mechanisms or qualifiers (e.g., using include_spf.example.com instead of include:spf.example.com)
Incorrect macro definitions or unsupported macros

Examples:

❌ v=spf1 include_spf.example.com -all → missing colon in include

❌ v=spf1 +mx a:mail.example.com -all → + qualifier is unnecessary and often misused

2. DNS Configuration Issues

These involve problems with the DNS setup related to your SPF record.

Common issues:

SPF record pointing to non-existent or misconfigured domains
Missing SPF records on referenced domains
Invalid or deprecated DNS record types (e.g., using SPF-type records instead of TXT)

Example:

Your domain references include:spf.partner.com, but spf.partner.com doesn’t exist or lacks a TXT record, leading to SPF evaluation failure.

3. Too Many DNS Lookups

SPF allows only 10 DNS lookups during record evaluation, as defined in RFC 7208, Section 4.6.4. This is a security measure to prevent abuse (e.g., Denial-of-Service attacks) and keep evaluations lightweight.

What counts as a lookup:

include
a, mx, ptr
exists, redirect

Void lookups (queries that return no DNS data) are also limited to 2.

Common cause:

An SPF record with many include: mechanisms or nested includes that collectively exceed the 10-lookup limit.

4. Circular Includes

Circular includes occur when SPF records refer back to each other in a loop, creating infinite resolution cycles.

Example:

Domain A: v=spf1 include:domainB.com -all
Domain B: v=spf1 include:domainA.com -all

This circular reference causes SPF evaluation to fail, often resulting in a Permerror.

5. Invalid Mechanisms or Qualifiers

Using unrecognized or deprecated mechanisms in your SPF record can result in a Permerror.

Common mistakes:

Typos like ip6v instead of ip6
Unsupported mechanisms such as all:, ptr: used incorrectly
Using + or ? qualifiers unnecessarily or incorrectly

Example:

❌ v=spf1 ptr:mail.example.com -all → discouraged mechanism
❌ v=spf1 ip4v:192.0.2.0/24 -all → invalid mechanism (ip4v should be ip4)

6. Oversized SPF Records

SPF records must adhere to size limitations:

Each string in a TXT record must be ≤ 255 characters
Total TXT record length should not exceed 512 bytes

Causes of oversized records:

Too many IPs, includes, or mechanisms
Duplicated or unnecessary entries

Example:

A record like v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.0/24 include:spf1.example.com include:spf2.example.com include:spf3.example.com include:spf4.example.com -all may exceed DNS limits or size constraints.

How SPF Lookup Overload Breaks Your Emails

When your SPF record triggers more than 10 DNS lookups, it can seriously disrupt your email delivery. Here’s what can happen:

Delivery delays: Email servers may slow down processing while trying to evaluate your SPF record, causing delivery delays.
Timeout errors: Too many lookups can lead to timeouts during SPF evaluation, causing messages to fail silently or get dropped.
Rejected emails: Some receiving servers may outright reject or flag emails with SPF Permerror to protect their infrastructure.
DMARC fails: If your DMARC policy relies on SPF alignment, a failed SPF check can break DMARC and reduce your domain’s trustworthiness.

How to Fix SPF Permerror (Step-by-Step)

Manual Fixes

Remove Unused include Mechanisms

Go through each include: in your SPF record and check if it’s still necessary. If it’s linked to a service you no longer use, remove it.

Replace include with IP Addresses (if static)

If an include: just points to a static IP or small IP range, replace it directly with an ip4: or ip6: mechanism to avoid a DNS lookup.

Eliminate PTR Mechanisms

PTR is discouraged by RFC 7208 due to performance and reliability concerns. Remove it entirely to reduce lookups and avoid errors.

Consolidate include Domains

Some services (e.g., email platforms or providers) offer multiple SPF entries. Check their documentation, as often they provide a single consolidated include you can use instead of multiple ones.

Use ip4 / ip6 Where Possible

If you know the IPs of your sending servers, add them directly using ip4: or ip6: instead of relying on mechanisms like MX or A that consume lookups.

Best Practice: Use an Automatic SPF Flattening Tool

Automatic SPF flattening is the process of dynamically converting multiple “include” statements and other DNS-based lookups into a simplified list of IP addresses. This approach reduces the number of DNS lookups during SPF checks.

Manual SPF flattening may seem like a quick fix, but it comes with serious risks. If your email service provider changes their sending IPs, your SPF record won’t reflect the change unless you update it manually. Hence it requires constant monitoring and manual edits to stay compliant. An outdated IP in your flattened record can cause SPF to fail, affecting email deliverability and DMARC alignment.

PowerSPF is our hosted SPF flattening and optimization tool that automates the entire process, so you never have to worry about lookup limits or IP changes again.

Auto-Updates When Vendors Change IPs: We keep your SPF record updated in real time.
One-Time Setup: Set it once and forget it. No ongoing maintenance.
Lookup Count Stays Low: Your SPF record stays lean and compliant with RFC guidelines and restrictions.

FAQs

Can SPF exceed 10 lookups if needed?

No, SPF is strictly limited to 10 DNS lookups during evaluation, as defined in RFC 7208. Exceeding this limit causes a Permerror, and your emails may be rejected or marked as spam.

Can I have multiple SPF records?

No. You should setup only 1 SPF record per domain that authorizes all your sending sources for that domain. Multiple records can invalidate all of them, causing errors.

What’s the safest way to fix Permerror?

The safest way to fix Permerror is to use a hosted SPF solution like PowerSPF to dynamically optimize SPF, with expert support available 24/7.

Is flattening safe for dynamic IPs?

If your provider uses dynamic IPs, manual flattening can quickly become outdated, causing SPF failures. For dynamic or frequently changing IPs, the safest option is to use a hosted solution which automatically fetches and updates IPs on your behalf.

Final Thoughts

SPF Permerror can impact your deliverability, domain health, and security. Simple efforts like removing redundant mechanisms, replacing mechanisms with IP ranges, and monitoring deliverability can go a long way.

And for organizations who wish to avoid the hassle and save time, there are hosted solutions like PowerSPF. Interested in learning how it works and how it can be transformative for your authentication posture? Schedule a free demo today with one of our in-house experts!

About
Latest Posts

Maitham Al Lawati

Maitham is a tech entrepreneur, cybersecurity expert, CEO and Founder of PowerDMARC with 15+ years of industry experience. Maitham holds a Global MBA from the University of Manchester and various professional certifications including CISSP, CISM, CRISC, and ISC2 CCSP.

Latest posts by Maitham Al Lawati (see all)

What Is DMARC? A Simple Guide to Email Protection - July 11, 2025
How to Read DMARC Reports: Types, Tools, and Tips - July 10, 2025
How to Create and Publish a DMARC Record - March 3, 2025