Blog

SPF Too Many DNS Lookups — How to Find and Fix the Problem

March 31, 2026

Your SPF record looked fine last year. You added a new email tool. Now emails are bouncing with SPF PermError.

The 10-lookup limit is the most common silent SPF failure. You don't get a warning when you exceed it. Emails just start failing.

Why 10 Lookups Disappear Faster Than You Think

Every include: in your SPF record costs one lookup. But most providers nest their own includes inside.

include:sendgrid.net isn't 1 lookup. It's 3 or 4 — because SendGrid's record has its own includes.

Add Google Workspace + SendGrid + HubSpot + a CRM and you're at 12+ lookups before you notice.

How to Count Your Lookups

Run DNS Preflight on your domain. Expand the SPF lookup tree — it shows every include recursively with a running total.

v=spf1 include:_spf.google.com      ← +1
└─ _netblocks.google.com   ← +1
include:sendgrid.net         ← +1
└─ u123.wl.sendgrid.net   ← +1
include:spf.hubspot.com      ← +1
└─ spf1.hubspot.com        ← +1
Total: 6 — you're getting close

What Counts Toward the Limit

Counts (each = 1 lookup):

include:    a:    mx:    ptr:    exists:

Does NOT count (0 lookups):

ip4:    ip6:    ~all    -all    +all

The Fix — Replace includes with IPs

For high-lookup providers, replace the include: with the actual IP addresses they resolve to.

Before:

v=spf1 include:sendgrid.net ~all

After:

v=spf1 ip4:167.89.0.0/17
ip4:198.37.144.0/20 ~all

ip4: costs zero lookups. Problem solved for that provider.

Downside: you have to update when providers change their IPs. Set a calendar reminder every 6 months.

The Better Fix — Fewer Senders

The cleanest solution is routing email through fewer services.

Two tools sending email = two includes. Route both through one provider = one include. Fewer senders = fewer lookups.

After Fixing — Verify

Run DNS Preflight again. The SPF tree should show total lookups under 10 with no PermError flag.