Blog

The SPF Lookup Limit: Why You Hit 10 and How to Stay Under It

March 19, 2026

You didn't change anything. Your emails just started bouncing.

The SPF lookup limit is one of the most common causes of silent email failure. You add one more email service — a CRM, a marketing tool, a transactional sender — and suddenly you're over 10 lookups.

Receivers return PermError. Email gets rejected or lands in spam. Nothing in your dashboard tells you why.

Why 10 Lookups Is Less Than You Think

Every include: in your SPF record triggers a DNS lookup. And most providers nest their own includes inside.

include:sendgrid.net doesn't use 1 lookup. It uses 3 or 4 — because SendGrid's SPF record has its own includes.

Add Google Workspace, SendGrid, HubSpot, Mailgun, and a CRM — and you're at 12-15 lookups before you know it.

How to Check Your Count

Run DNS Preflight and expand the SPF lookup tree. It shows every include recursively with a running count.

v=spf1 include:amazonses.com          ← +1
include:_spf.google.com        ← +1
└─ include:_netblocks.google ← +1
include:sendgrid.net           ← +1
└─ include:u123.wl.sendgrid  ← +1
include:spf.hubspot.com        ← +1
Total: 8 lookups (you're getting close)

The Fix — SPF Flattening

Replace include: statements with the actual IP addresses they resolve to.

Before:

v=spf1 include:sendgrid.net ~all

After:

v=spf1 ip4:167.89.0.0/17
ip4:198.37.144.0/20 ~all

ip4: entries use zero lookups. Problem solved.

The downside: you have to update your record when providers change their IPs. Set a calendar reminder every 6 months.

The Better Answer — Fewer Senders

The cleanest fix is sending through fewer services. If two tools both send email, route both through one provider.

Fewer senders = fewer includes = fewer lookups = no problem.

What Counts Toward the Limit

include:, a:, mx:, ptr:, exists:, redirect= → each counts as one lookup

ip4:, ip6:, ~all, -all, +all → zero lookups