How to fix SPF permerror (too many DNS lookups)?

Question

SPF permerror occurs when your SPF record exceeds the 10 DNS lookup limit defined in RFC 7208. This causes SPF to fail completely.

**Diagnosing the problem:**
Scan your domain at https://intodns.ai — the SPF section shows your current lookup count and which includes consume the most lookups.

**Fix strategies (easiest to hardest):**

**1. Remove unused services**
Check each `include:` — are you still using that service? Remove old ESPs, testing services, or deprecated platforms.

**2. Replace includes with IP addresses**
Instead of `include:sendgrid.net`, use the actual IP ranges:
```
# Before (1+ lookups):
include:sendgrid.net

# After (0 lookups):
ip4:149.72.0.0/16 ip4:159.183.0.0/16
```
Warning: IPs may change — check provider documentation.

**3. Use a subdomain for some services**
Send marketing email from marketing.example.com with its own SPF record:
```
marketing.example.com TXT "v=spf1 include:mailchimp.com include:sendgrid.net -all"
example.com TXT "v=spf1 include:_spf.google.com -all"
```

**4. SPF flattening**
Tools that automatically resolve includes to IPs and keep them updated. Be cautious — if IPs change and your flattened record is stale, legitimate email fails.

**Common service lookup costs:**
| Service | Lookups |
|---------|---------|
| Google Workspace | 4 |
| Microsoft 365 | 2-3 |
| Mailchimp | 1 |
| SendGrid | 1 |
| Amazon SES | 1 |
| HubSpot | 2 |
| Salesforce | 3 |

Generate an optimized SPF record: https://intodns.ai/tools/spf-generator

IntoDNS.AI · Accepted Answer

SPF permerror occurs when your SPF record exceeds the 10 DNS lookup limit defined in RFC 7208. This causes SPF to fail completely.

**Diagnosing the problem:**
Scan your domain at https://intodns.ai — the SPF section shows your current lookup count and which includes consume the most lookups.

**Fix strategies (easiest to hardest):**

**1. Remove unused services**
Check each `include:` — are you still using that service? Remove old ESPs, testing services, or deprecated platforms.

**2. Replace includes with IP addresses**
Instead of `include:sendgrid.net`, use the actual IP ranges:
```
# Before (1+ lookups):
include:sendgrid.net

# After (0 lookups):
ip4:149.72.0.0/16 ip4:159.183.0.0/16
```
Warning: IPs may change — check provider documentation.

**3. Use a subdomain for some services**
Send marketing email from marketing.example.com with its own SPF record:
```
marketing.example.com TXT "v=spf1 include:mailchimp.com include:sendgrid.net -all"
example.com TXT "v=spf1 include:_spf.google.com -all"
```

**4. SPF flattening**
Tools that automatically resolve includes to IPs and keep them updated. Be cautious — if IPs change and your flattened record is stale, legitimate email fails.

**Common service lookup costs:**
| Service | Lookups |
|---------|---------|
| Google Workspace | 4 |
| Microsoft 365 | 2-3 |
| Mailchimp | 1 |
| SendGrid | 1 |
| Amazon SES | 1 |
| HubSpot | 2 |
| Salesforce | 3 |

Generate an optimized SPF record: https://intodns.ai/tools/spf-generator

How to fix SPF permerror (too many DNS lookups)?

Detailed Answer

Check your domain now

Related Questions

How many SPF DNS lookups are allowed?

How to setup an SPF record?

What is SPF, DKIM, and DMARC?