SPF Too Many DNS Lookups : What Does it Mean and How to Fix it

Every time you query your DNS, it costs the validator (the recipient’s email system) resources like bandwidth and CPU memory. A maximum limit of 10 DNS lookups is imposed to avoid unreasonable load on the validator. If an SPF record exceeds this limit, SPF too many DNS lookups error or technically called the ‘Permerror’ comes up.

“From an engineering perspective, the 10-lookup limit is a resource protection mechanism, not a security feature,” says Adam Lundrigan, CTO of DuoCircle. “RFC 7208 caps lookups to prevent SPF evaluation from becoming a DNS amplification vector. But the practical effect is that any enterprise using more than 3-4 email services hits the wall. The fix is either flattening — which trades lookup count for record length — or macros, which delegate resolution entirely.”

“The 10-lookup limit is the single most common reason enterprise SPF records silently break,” says Brad Slavin, CEO of DuoCircle and founder of AutoSPF. “In our experience managing SPF for 2,000+ customer domains, the failure mode is always the same: a team adds a new SaaS tool, its include pushes the total past 10, and legitimate email starts failing — but nobody notices until a customer complains about missing invoices or password resets.”

Per RFC 7208, SPF evaluation is capped at 10 DNS mechanism lookups and 2 void lookups per check — exceeding either limit produces a PermError that fails authentication for every message from the domain.

Causes of SPF Too Many DNS Lookup Errors

Domain administrators or owners come across the SPF permerror too many DNS lookups issue due to the reckless use of the ‘include’ or the ‘redirect’ modifiers. This even results in a deteriorated email deliverability rate which hampers PR, marketing, and other email-based campaigns. 

What Happens if SPF Record DNS Lookup Limit is Exceeded?

When the SPF too many DNS lookup limit is reached, emails sent from that domain don’t reach the desired recipients’ inboxes. Gmail sends such emails to the spam folder, and Microsoft Office 365 blocks these domains automatically if they fail SPF authentication. 

How to Fix SPF Too Many DNS Lookups?

Use ip4 and ip6 

The ip4 and ip6 mechanisms list a static IP range in the SPF record. They reduce the include statements as well.

Remove ptr and mx Mechanisms

Using ptr and mx mechanisms require more DNS lookups which causes reaching the limit quickly.

Remove include Statements

The include statement allows third-party vendors to send emails using your domain. You should remove include statements that direct SPF checks to senders who don’t send emails on your behalf anymore. This reduces the likelihood of getting SPF too many DNS lookups issue.

SPF Flattening

AutoSPF’s automatic SPF flattening service replaces all the domains in an SPF record with their IP addresses so that you don’t have to perform SPF DNS lookups. However, manual SPF flattening requires constant monitoring and proper configurations, which is difficult to come by. 

That’s why we at AutoSPF offer an SPF flattening and notification services for your email-sending domain so that you never face SPF errors for too many DNS lookups.