SPF fix
How to Fix SPF PermError: Too Many DNS Lookups
This guide helps you fix SPF PermError from too many DNS hops: count lookups, then flatten or trim until you’re under the limit.
Why you hit the wall
Receivers walk your SPF tree and stop at 10 DNS lookups — include:, a:, mx:, nested stuff all counts. Blow past 10 and they throw PermError and may fail you. RFC 7208 is strict here. Peek at SPF record if you want the full picture.
Count lookups before you panic-edit
Open DNS Preflight. Expand the SPF tree — it shows who ate each hop and the running total.
Flatten when you’re over budget
Swap fat includes for literal IPs when you must. Example:
Heads up: IPs drift. You’ll touch DNS again when SendGrid or Google reshuffles ranges — or drop a vendor and stay under 10 without flattening.
Step-by-step fix
Count SPF lookups in your browser
Open DNS Preflight →FAQ
What is SPF PermError?
Your record is broken or too chatty — receivers bail with PermError and often treat it like a hard fail.
How do I count my SPF lookups?
Use our SPF tree in DNS Preflight — it walks includes recursively and prints the total at the bottom.
What is SPF flattening?
You paste real IPs instead of include: chains so those hops cost zero lookups — you babysit the list when vendors move subnets.
Which mechanisms count toward the 10-lookup limit?
include:, a:, mx:, ptr:, exists:, and redirect= each burn one lookup. ip4:, ip6:, and all are free.
What happens if I exceed 10 SPF lookups?
PermError. Inboxes may junk or drop mail depending on DMARC and how cranky the receiver feels.