SPF Exceeds DNS Lookup Limit
The SPF record exceeds the 10 DNS lookup limit defined in RFC 7208.
Severity: Critical
What is SPF?
SPF (Sender Policy Framework) is a DNS-based email authentication system. Domain owners publish a TXT record listing which servers are allowed to send email for their domain. Receiving mail servers check this record to verify the sender is authorized.
What is the DNS lookup limit?
When a mail server evaluates an SPF record, it needs to perform DNS lookups for certain mechanisms like include:, a:, mx:, redirect=, and exists:. RFC 7208 (the SPF specification) limits the total number of these DNS lookups to 10 per SPF evaluation.
This limit exists to prevent SPF evaluation from becoming a denial-of-service vector — without it, a malicious SPF record could trigger hundreds of DNS queries on every incoming email.
Why this is a problem
When your SPF record exceeds 10 DNS lookups, receiving mail servers are required to return a "permerror" (permanent error) result. This means:
- SPF evaluation fails entirely — it's as if you have no SPF record at all
- Your domain loses SPF protection against spoofing
- Emails may be rejected or flagged as suspicious by strict receivers
- DMARC policies that rely on SPF alignment will also fail
What you should do
- Count the DNS lookups in your SPF record — each
include:,a:,mx:,ptr:,redirect=, andexists:counts as one lookup (nested includes count too) - Replace
include:mechanisms withip4:orip6:ranges where possible, since IP mechanisms don't count toward the limit - Remove unused or redundant include entries
- Consider using SPF flattening services that resolve includes to IP addresses
- Consolidate sending services where possible to reduce the number of includes