The SPF 10-lookup limit, and how to beat it

SPF tells the world which servers are allowed to send email for your domain. It works – until it doesn’t. Buried in the spec is a hard rule: an SPF record may trigger no more than 10 DNS lookups when it’s evaluated. Exceed that, and SPF returns a permerror – which many receivers treat as a failure.

Why it sneaks up on you

Every include: in your record – Microsoft 365, Google Workspace, your CRM, your marketing tool, your helpdesk – costs at least one lookup, and many includes contain further includes. You don’t hit the limit on day one; you hit it the day you add the sender that tips you over ten. Nothing announces it. Your SPF just starts failing, your DMARC alignment slips, and legitimate mail starts landing in spam.

How to fix it properly

The durable fix is SPF flattening: resolving all those includes down to the underlying IP addresses, so your record stays comfortably under the limit. The catch is that those IPs change – cloud providers add and remove servers constantly – so a record you flatten by hand today is stale next month.

That’s why DMARCER offers hosted SPF: you point a single include at us, and we keep your record flat and current automatically, re-resolving as your senders change – reversibly, with a preview before anything goes live.