How many SPF DNS lookups are allowed?

Question

The SPF specification (RFC 7208) limits DNS lookups to 10 per SPF evaluation. This is one of the most common causes of SPF failures.

**What counts as a lookup:**
- `include:` — 1 lookup (plus any lookups in the included record)
- `a:` — 1 lookup
- `mx:` — 1 lookup (plus 1 per MX record for A resolution)
- `redirect=` — 1 lookup
- `exists:` — 1 lookup

**What does NOT count:**
- `ip4:` — no lookup needed
- `ip6:` — no lookup needed
- `all` — no lookup needed

**Common services and their lookup cost:**
| Service | Typical lookups |
|---------|----------------|
| Google Workspace | 3-4 lookups |
| Microsoft 365 | 2-3 lookups |
| Mailchimp | 1 lookup |
| SendGrid | 1 lookup |
| Salesforce | 2-3 lookups |

**Example problem:**
Google Workspace (4) + Microsoft 365 (3) + SendGrid (1) + Mailchimp (1) + Salesforce (2) = **11 lookups → SPF FAILS**

**How to fix:**
1. Use `ip4:` and `ip6:` instead of `include:` where possible
2. Remove unused services from your SPF record
3. Use SPF flattening (merge includes into IP addresses)
4. Consider separate sending domains for different services

Check your SPF lookup count: https://intodns.ai (scan your domain and look at the SPF section)
Generate an optimized SPF record: https://intodns.ai/tools/spf-generator

IntoDNS.AI · Accepted Answer

The SPF specification (RFC 7208) limits DNS lookups to 10 per SPF evaluation. This is one of the most common causes of SPF failures.

**What counts as a lookup:**
- `include:` — 1 lookup (plus any lookups in the included record)
- `a:` — 1 lookup
- `mx:` — 1 lookup (plus 1 per MX record for A resolution)
- `redirect=` — 1 lookup
- `exists:` — 1 lookup

**What does NOT count:**
- `ip4:` — no lookup needed
- `ip6:` — no lookup needed
- `all` — no lookup needed

**Common services and their lookup cost:**
| Service | Typical lookups |
|---------|----------------|
| Google Workspace | 3-4 lookups |
| Microsoft 365 | 2-3 lookups |
| Mailchimp | 1 lookup |
| SendGrid | 1 lookup |
| Salesforce | 2-3 lookups |

**Example problem:**
Google Workspace (4) + Microsoft 365 (3) + SendGrid (1) + Mailchimp (1) + Salesforce (2) = **11 lookups → SPF FAILS**

**How to fix:**
1. Use `ip4:` and `ip6:` instead of `include:` where possible
2. Remove unused services from your SPF record
3. Use SPF flattening (merge includes into IP addresses)
4. Consider separate sending domains for different services

Check your SPF lookup count: https://intodns.ai (scan your domain and look at the SPF section)
Generate an optimized SPF record: https://intodns.ai/tools/spf-generator

How many SPF DNS lookups are allowed?

Detailed Answer

Check your domain now

Related Questions

How to setup an SPF record?

What is SPF, DKIM, and DMARC?

Why do my emails go to spam?