Understanding SPF Flattening: Causes, Consequences, and Solutions

Ever get that email about SPF records and just kind of nod along? Yeah, me too sometimes. It’s one of those behind-the-scenes things that keeps your emails from ending up in the spam folder, but it can get pretty technical. One of the trickier parts is something called SPF flattening. It sounds complicated, but it's basically a way to manage how your email authentication works when you're using a lot of different services to send emails. Let's break down what SPF flattening is all about, why it happens, and what you can do about it.

Key Takeaways

SPF records have a limit of 10 DNS lookups. Going over this limit causes emails to fail authentication, often landing in spam or being rejected outright.
SPF flattening is a method to get around the 10-lookup limit by replacing 'include' directives with actual IP addresses. This makes the record longer but uses fewer lookups during evaluation.
While flattening can solve the immediate lookup problem, it makes records harder to manage because IP addresses change. This requires automation to keep the record up-to-date.
Before flattening, try simpler solutions like removing unused sender services or splitting email types across different subdomains. These are often less risky and easier to maintain.
If you do flatten your SPF record, you need a system in place to regularly check for IP address changes from your email providers. Without this, your emails could start failing authentication without you even knowing.

Understanding SPF Lookup Limits

Technical illustration of interconnected digital pathways.

The Sender Policy Framework (SPF) is a critical component of email authentication, designed to prevent sender address forgery. A fundamental aspect of SPF's operation, and a frequent source of deployment issues, is its built-in limit on DNS lookups. This limit is not arbitrary; it serves as a safeguard against unbounded recursive queries that could otherwise overload DNS infrastructure or be exploited in denial-of-service attacks. Receiving mail servers must strictly adhere to this ten-lookup constraint during SPF record evaluation.

The Ten-Lookup Constraint

SPF records are evaluated by receiving mail servers to determine if an incoming email originates from an authorized IP address. The specification, as defined in RFC 7208, permits a maximum of ten DNS lookups during this evaluation process. These lookups are triggered by specific SPF mechanisms. Exceeding this threshold results in an SPF permerror, which is typically treated as an authentication failure by most email systems, directly impacting email deliverability. This limit applies to the total number of lookups, including those initiated by nested include directives.

Mechanisms that count towards the limit include:

include:: Initiates a lookup for the SPF record of the specified domain, and all lookups within that record are also counted.
a: Queries for the A or AAAA records of a specified domain.
mx: Queries for the MX records of a specified domain, followed by A/AAAA lookups for each MX hostname.
ptr: Queries for PTR records (though this mechanism is discouraged and rarely used).
exists: Checks for the existence of an A record for a specified domain.
redirect: Similar to include, it performs a lookup and counts the lookups of the redirected record.

Conversely, mechanisms like ip4: and ip6: (which specify literal IP addresses or CIDR blocks) and the all mechanism do not require DNS lookups and therefore do not count against the limit. The initial query to retrieve the SPF TXT record itself also does not count towards the ten-lookup budget.

Mechanisms Constituting DNS Lookups

Understanding which SPF mechanisms trigger DNS queries is paramount for effective SPF record management. The include mechanism is the most common culprit for exceeding the limit, as it recursively counts all lookups within the included record. For instance, a single include:_spf.google.com directive can account for approximately four lookups internally, depending on Google's current SPF record structure. Similarly, spf.protection.outlook.com typically accounts for around three lookups. When multiple such directives are present, the cumulative count can rapidly approach or surpass the ten-lookup ceiling.

Mechanism	Counts Towards Limit	Notes
`include:`	Yes	Counts recursively for all lookups within the included record.
`a`	Yes	Queries for A/AAAA records.
`mx`	Yes	Queries for MX records, then A/AAAA for each MX hostname.
`ptr`	Yes	Discouraged mechanism.
`exists:`	Yes	Checks for A record existence.
`redirect=`	Yes	Counts recursively for all lookups within the redirected record.
`ip4:`	No	Literal IPv4 address or CIDR block.
`ip6:`	No	Literal IPv6 address or CIDR block.
`all`	No	The final catch-all mechanism.

Recursive Lookup Counting

A common misinterpretation of the ten-lookup limit is counting only the top-level include directives. The SPF specification mandates a recursive count. This means that if domainA includes domainB, and domainB includes domainC, the lookups required for domainB and domainC are all added to the total count for the original SPF record evaluation. This recursive nature is why seemingly simple SPF records with only a few include statements can still exceed the limit. For example, a record with include:domainA (4 lookups) and include:domainB (3 lookups) already consumes 7 lookups, leaving minimal room for additional services. Organizations utilizing multiple third-party email providers, such as Google Workspace, Microsoft 365, SendGrid, and Mailchimp, often find their SPF records quickly reaching this limit. Tools like IntoDNS.ai can help visualize these recursive lookups and identify precisely where the count is accumulating.

The ten-lookup limit is a critical safeguard. Without it, malicious actors could craft SPF records with an unbounded number of include mechanisms, forcing receiving mail servers to perform an excessive number of DNS queries. This could lead to significant delays in email delivery or even contribute to denial-of-service attacks against DNS infrastructure. Therefore, strict adherence to this limit is essential for both security and performance.

Failure to manage these lookup counts can lead to permerror results, effectively breaking SPF authentication for legitimate emails and potentially causing them to be rejected or sent to spam. This underscores the necessity of careful SPF record design and ongoing maintenance.

The Mechanics of SPF Flattening

SPF flattening is a method to address the SPF's 10 DNS lookup limit. It involves resolving include directives and other mechanisms that trigger DNS queries, then replacing them with their corresponding IP addresses or CIDR blocks directly within the SPF record. This process effectively removes the need for the receiving mail server to perform additional DNS lookups for those specific authorized senders.

Resolving Include Directives

When an SPF record contains an include: mechanism, such as include:example.com, the receiving mail server performs a DNS lookup for example.com's SPF record. This lookup, and any subsequent lookups triggered by mechanisms within example.com's record, all count towards the total of 10 allowed DNS lookups. Flattening replaces these include: directives with the actual IP addresses or ranges that example.com's SPF record authorizes. For instance, if include:example.com resolves to ip4:192.0.2.0/24 and ip4:198.51.100.0/24, these literal IP blocks would be added directly to your SPF record, eliminating the need for the include: lookup.

Rewriting Records with IP Literals

The core of SPF flattening is substituting lookup-generating mechanisms with static IP address specifications. This means transforming records that might look like this:

v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all

Into a much longer, but lookup-free (for those specific services) record:

v=spf1 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ... ip4:204.79.197.0/24 ... ~all

This transformation requires a process to query the DNS for the IP addresses associated with each include: or a: mechanism and then reformatting the SPF record. The primary benefit is reducing the DNS lookup count, thereby preventing permerror results. However, this also significantly increases the overall size of the SPF record, which can sometimes cause compatibility issues with older DNS resolvers that have limitations on record length [4704].

Automation Requirements for Maintenance

While SPF flattening resolves the immediate lookup limit issue, it introduces a significant maintenance burden. The IP addresses and ranges published by email service providers (ESPs) are not static; they can change without prior notification. If a flattened SPF record is not updated to reflect these changes, legitimate emails sent from newly assigned IP addresses will fail SPF authentication. This necessitates a robust automation pipeline to periodically re-resolve the include: directives and republish the updated SPF record. Without such automation, a flattened SPF record will quickly become stale, leading to mail delivery failures. This is why manual flattening is generally not a sustainable long-term solution for dynamic email infrastructures [4704].

Flattening trades dynamic DNS lookups for static IP lists. This requires a continuous process to monitor and update those lists, as IP ranges change. Failure to maintain the flattened record leads to authentication failures for legitimate mail.

Consequences of SPF Flattening

Increased Record Size and Resolver Compatibility

SPF flattening, while a method to circumvent the ten-lookup limit, introduces a significant increase in the size of the SPF TXT record. By replacing include directives with explicit IP address ranges (e.g., ip4: and ip6: mechanisms), the record can grow substantially. A flattened record for a domain utilizing several third-party email services can easily exceed 800 to 1200 characters. While modern DNS resolvers can generally handle these larger records, older or less compliant resolvers may encounter issues, potentially leading to truncated records or outright parsing errors. This can manifest as SPF evaluation failures, even though the underlying intent was to improve deliverability. It is imperative to monitor record length and test against a diverse set of DNS resolvers to mitigate compatibility risks.

Loss of Visibility into Authorized Senders

One of the primary drawbacks of SPF flattening is the obfuscation of authorized sending services. A standard SPF record clearly lists the domains authorized to send email on behalf of your organization, such as include:_spf.google.com or include:sendgrid.net. This provides a degree of transparency and aids in auditing. When flattened, this record transforms into a lengthy sequence of IP address blocks. This makes it considerably more difficult to ascertain which specific services are permitted to send mail. Auditing becomes a more complex process, requiring correlation of IP ranges back to their originating services. This loss of direct visibility can complicate troubleshooting and security reviews.

Risk Transfer to Resolution Pipeline Accuracy

Flattening effectively transfers the burden of maintaining accurate IP address information from the email service providers (ESPs) to the domain owner. ESPs are responsible for publishing their SPF records, which are dynamic and updated as their infrastructure changes. When you flatten an SPF record, you are essentially taking a snapshot of those IP ranges at a specific point in time. If an ESP modifies its IP address ranges without your knowledge, your flattened SPF record will become stale, leading to legitimate emails being rejected. This necessitates a robust, automated process for regularly re-resolving and republishing the flattened SPF record. Without such automation, the accuracy of your email authentication relies entirely on the reliability and timeliness of your own resolution pipeline, introducing a new vector for potential failure. This is particularly problematic for dynamic IP pools used by many modern ESPs.

When SPF Flattening Becomes Necessary

Technical illustration of interconnected shapes becoming simplified.

Exceeding the Ten-Lookup Threshold

The Sender Policy Framework (SPF) specification strictly limits DNS lookups to a maximum of ten per evaluation. This limit is not a suggestion; exceeding it results in a permerror, which most receiving mail servers interpret as an authentication failure. This situation arises when a domain's SPF record, through a series of include mechanisms, a records, mx lookups, or other DNS-querying mechanisms, cumulatively surpasses this threshold. For instance, a common scenario involves integrating multiple third-party email service providers (ESPs). Each include directive for an ESP can itself trigger multiple internal lookups. A typical configuration might include services like Google Workspace (approximately 4 lookups), Microsoft 365 (around 3 lookups), and a marketing platform like Mailchimp (2 lookups). This combination alone can quickly approach or exceed the ten-lookup limit, even before accounting for other potential sending sources or internal DNS structures.

Service Provider	Approximate Lookups
Google Workspace	4
Microsoft 365	3
Mailchimp	2
Total (Example)	9

Adding even one more service with a single lookup would push this example over the limit. When this occurs, legitimate emails sent through these services will fail SPF checks, impacting deliverability and potentially leading to messages being marked as spam or rejected outright. This is the primary trigger for considering SPF flattening.

Limitations of Alternative Optimization Strategies

Before resorting to SPF flattening, several optimization strategies should be exhausted. These include:

Auditing and Removal of Unused Senders: Regularly review your SPF record for include directives pointing to services no longer in use. Legacy ESPs, trial accounts, or deprecated services can accumulate over time, consuming valuable lookup budget without providing any current authorization. Removing these is the most straightforward and effective method to reduce lookup counts.
Consolidating Sending Services: Where feasible, consolidate email sending activities through fewer platforms. For example, if multiple services are used for transactional emails, explore if a single provider can handle all such needs. This reduces the number of include statements required.
Subdomain Segmentation: This is a robust long-term strategy. Different mail streams (e.g., transactional, marketing, notifications) can be assigned to distinct subdomains, each with its own minimal SPF record. For example, example.com might handle corporate mail with a short SPF, while marketing.example.com handles marketing campaigns with its own SPF record pointing to the marketing ESP. This effectively isolates lookup counts per subdomain, preventing them from accumulating on the apex domain.

When these methods are insufficient to bring the lookup count below the critical threshold, SPF flattening becomes a necessary consideration. It is important to note that while subdomain segmentation is generally preferred for its manageability, it may not always be practical or immediately implementable for all organizations, especially those with highly integrated or complex sending infrastructures.

Situations Mandating Flattening

SPF flattening is typically mandated when all other viable optimization techniques have been implemented, yet the SPF record still exceeds the ten-lookup limit. This often occurs in environments with a large number of third-party email senders, such as large enterprises, SaaS providers, or organizations utilizing numerous specialized communication tools.

Flattening an SPF record involves resolving all include directives and other DNS-querying mechanisms to their explicit IP address ranges (ip4: and ip6: mechanisms). This transforms the record into a static list of IP addresses, effectively eliminating DNS lookups during the SPF evaluation process. While this resolves the lookup limit issue, it introduces a significant maintenance challenge, as the IP addresses of ESPs can change without notice. Therefore, flattening is most effective when coupled with robust automation for monitoring and updating the record.

Consider the following scenarios where flattening is often the only remaining recourse:

Complex Third-Party Integrations: Organizations relying on a broad spectrum of SaaS platforms, CRMs, marketing automation tools, and customer support systems, each requiring SPF authorization, will likely encounter lookup limitations. Attempting to manage these with subdomains can become administratively burdensome if the number of distinct sending functions is exceptionally high.
Legacy Systems with Static SPF Records: In some cases, existing infrastructure may have static IP addresses that can be directly listed. However, if these IPs are managed by external providers whose IP ranges are dynamic or not publicly documented for direct inclusion, flattening becomes the method to incorporate them without exceeding lookup limits.
Immediate Compliance Requirements: When an organization faces an immediate need to comply with SPF policies (e.g., due to DMARC enforcement or deliverability issues) and lacks the time or resources for a full subdomain restructuring, flattening can provide a rapid, albeit temporary, solution to bring the record within the ten-lookup limit. This allows for continued email delivery while a more sustainable strategy is developed. The SPF specification details these lookup limitations and mechanisms.

Implementing SPF Flattening

Technical illustration of simplified network connections.

SPF flattening involves resolving include directives within your SPF record and replacing them with the actual IP addresses or CIDR blocks they represent. This process effectively removes DNS lookups from the evaluation of those specific include mechanisms, thereby reducing the overall lookup count. This is a critical technique when your SPF record approaches or exceeds the ten-lookup limit.

Implementing SPF flattening requires a systematic approach to ensure accuracy and maintainability. The primary objective is to reduce DNS queries during SPF evaluation, preventing permerror results. However, it introduces a new set of considerations, particularly around the dynamic nature of IP address ranges used by many email service providers (ESPs).

Automated Resolution and Publishing Pipelines

Manual flattening is not a sustainable solution due to the frequent changes in ESP IP address ranges. To maintain compliance and prevent legitimate emails from failing SPF checks, an automated pipeline is necessary. This pipeline should:

Periodically query the DNS records of your include mechanisms.
Resolve all nested include directives and external IP ranges.
Reconstruct the SPF record using ip4 and ip6 mechanisms with the resolved IP blocks.
Publish the updated SPF record to your DNS.

This automation ensures that your SPF record remains current with the IP addresses authorized to send mail on your behalf. Tools and services exist that can manage this process, often on a daily or weekly basis, depending on the volatility of the ESPs you utilize. For instance, services that help manage SPF records can automate this resolution and publishing.

Monitoring for External IP Range Changes

Even with automated pipelines, continuous monitoring is essential. ESPs may change their IP address ranges without prior notification. Your automated system must be capable of detecting these changes and updating the flattened SPF record accordingly. This involves:

Regularly comparing the currently published flattened SPF record against the live resolution of the original include directives.
Alerting administrators to discrepancies or potential issues.
Implementing a robust rollback strategy in case an automated update introduces errors.

Without diligent monitoring, a flattened SPF record can quickly become outdated, leading to SPF failures for legitimate mail. This risk transfer to the accuracy of your resolution pipeline is a significant consequence of flattening.

Strategic Application to Stable Includes

While flattening can be applied to any include directive, it is most effective and less risky when applied to stable, well-documented IP ranges. For example, major providers like Google Workspace or Microsoft 365 often have published IP ranges that change infrequently. Flattening these stable includes can significantly reduce lookup counts without introducing excessive maintenance overhead.

Conversely, flattening directives for ESPs with highly dynamic or rapidly changing IP pools (e.g., some large-scale marketing platforms) should be approached with extreme caution. If automation is not perfectly implemented, these can become a source of permerror if not re-flattened frequently. Consider the trade-offs: while flattening reduces lookups, it increases record size and can obscure visibility into which specific services are authorized. A common strategy is to flatten stable includes and retain dynamic ones as include mechanisms, or to use subdomains for services with volatile IP ranges.

Alternatives to SPF Flattening

Technical illustration of network simplification and branching.

While SPF flattening can resolve the immediate issue of exceeding the ten-lookup limit, it introduces significant maintenance overhead and reduces visibility into your authorized sending infrastructure. Before resorting to flattening, consider these alternative strategies that offer more sustainable and robust email authentication.

Subdomain Segmentation for Mail Streams

This approach involves dedicating specific subdomains to different types of email traffic. Each subdomain can then have its own, simpler SPF record. This is a clean, long-term solution that scales well.

Corporate/Transactional Mail: Use the root domain (example.com) for critical communications. Its SPF record can be minimal, perhaps including only your primary mail provider.
Marketing Mail: Assign a subdomain like marketing.example.com for all marketing campaigns. This subdomain's SPF record would then exclusively include the marketing platform's directives.
Application Notifications: Utilize another subdomain, such as notifications.example.com, for automated alerts, with its own SPF record pointing to the relevant service.

This strategy ensures that each mail stream's SPF record remains concise, preventing any single evaluation from exceeding the ten-lookup threshold. It also isolates potential issues; a misconfiguration in the marketing SPF record will not affect transactional mail delivery.

Consolidating Sending Services

Evaluate your current email sending providers. If you are using multiple services for similar purposes (e.g., several platforms for marketing emails), investigate the possibility of consolidating them into a single provider. Fewer sending services directly translate to fewer include mechanisms in your SPF record, thereby reducing the overall lookup count.

Audit current providers: Identify redundant services or platforms that can be replaced by a single, more capable solution.
Evaluate ESP capabilities: Some providers offer broader functionality, potentially covering needs previously met by multiple services.
Consider long-term contracts: When consolidating, assess the provider's stability and commitment to maintaining their SPF records.

Removing Unused Sender Inclusions

Over time, organizations often integrate with various third-party services for email campaigns, transactional messages, or support communications. It is common for these integrations to be forgotten after a trial period or a change in service. Each unused include directive contributes to your DNS lookup count without providing any authorization benefit.

Regular Audits: Periodically review your SPF record and compare it against your active sending services. Tools like the SPF checker can help identify these unused directives.
Documentation: Maintain clear documentation of all services authorized to send email on behalf of your domain.
DMARC Reports: Analyze DMARC aggregate reports. These reports often reveal sending IPs or domains that are not accounted for in your SPF record, which can help identify forgotten or unauthorized senders.

Manual SPF record management, including the process of flattening, is inherently prone to errors and requires constant vigilance. Prioritizing strategies that simplify your SPF configuration, such as subdomain segmentation and service consolidation, offers a more sustainable path to maintaining robust email authentication.

By implementing these alternatives, you can manage your SPF record effectively, avoid the complexities of flattening, and maintain a strong security posture for your email communications. Automated SPF management can further simplify these processes.

Risks and Best Practices

Maintaining an effective SPF record requires ongoing diligence. Failure to do so can lead to significant email deliverability issues and security vulnerabilities.

Maintaining Record Freshness

SPF records are not static. External sending services frequently update their IP address ranges. If your SPF record is not updated to reflect these changes, legitimate emails may fail authentication and be rejected. This is particularly true for flattened records where the IP ranges are hardcoded. Automated processes are necessary to periodically re-resolve and republish flattened records to prevent this.

Automated Re-resolution: Implement a scheduled job, at least weekly, to re-resolve all include directives and republish the flattened record. This ensures your record reflects current IP ranges.
Monitoring for Changes: Utilize DNS monitoring tools that can alert you to changes in the SPF records of your included services. This allows for proactive updates.
Vendor Notifications: Subscribe to notifications from your email service providers (ESPs) regarding IP address changes. While not always feasible, this can provide advance warning.

The Importance of Auditing

Regular auditing of your SPF record and sending infrastructure is critical. This process helps identify and rectify several common issues:

Unused Senders: Remove include mechanisms for services that are no longer in use. These "zombie" entries consume valuable lookup budget without providing any benefit.
Multiple SPF Records: RFC 7208 strictly prohibits more than one TXT record starting with v=spf1 for a given domain. The presence of multiple records will result in a permerror, causing all SPF checks to fail. Consolidate all valid sending sources into a single record.
Syntax Errors: Incorrectly formatted mechanisms or typos can lead to permerror results. Tools like IntoDNS.ai or dig can help identify these.

A common pitfall is the assumption that an SPF record, once published, requires no further attention. This is a dangerous misconception. The dynamic nature of IP address allocation and the evolution of email service providers necessitate a proactive maintenance strategy. Neglecting this can inadvertently authorize malicious actors or, more commonly, block legitimate communications.

Balancing Record Size and Lookup Counts

While SPF flattening can resolve lookup limit issues, it can lead to excessively large records. Some older DNS resolvers may struggle with TXT records exceeding 512 bytes. Modern resolvers are generally more capable, but it is prudent to monitor record size. The goal is to maintain a record that is both compliant with the 10-lookup limit and compatible with a wide range of DNS infrastructure. Strategies such as subdomain segmentation for different mail streams can often achieve this balance more effectively than aggressive flattening. For instance, using separate subdomains for marketing and transactional emails allows each to have a concise SPF record, avoiding the need to flatten a single, massive record for the apex domain. This approach also simplifies DMARC alignment, as each subdomain can manage its own authentication policies. Proper SPF configuration is key to this balance.

When sending emails, it's important to know the possible problems that could stop them from reaching the inbox. We call these 'risks'. But don't worry, there are also smart ways to handle these issues. These are the 'best practices'. Want to learn how to make sure your emails get delivered every time? Visit our website to find out more!

Final Thoughts on SPF Flattening

So, we've looked at SPF flattening. It's a way to get around that pesky 10-lookup limit by replacing all those 'include' statements with actual IP addresses. It sounds like a good idea at first, especially if you're drowning in lookups. But, and this is a big 'but', it's not really a long-term fix. You end up with a massive SPF record that's hard to manage. If any of those IP addresses change, and they do, your emails might just stop working. Plus, you lose visibility into who's actually sending mail for you. For most people, the better path is to clean up your existing SPF record, remove what you don't need, and maybe use subdomains for different kinds of mail. Flattening is more like a temporary bandage than a cure. It might get you out of a jam, but you still need to address the root cause of why your SPF record got so complicated in the first place.

AI assistant and API workflow

This article is part of the IntoDNS.ai LLM and citation workflow. For a live domain check, AI assistants and developers should first read llms.txt or llms.json, then call /api/scan/quick?domain=example.com for the current DNS and email security score.

For this topic, use /api/email/spf?domain=example.com when you need focused data instead of the full quick scan.

Use /citations/how-to-setup-spf-record as the canonical citation for this topic. For implementation, use the SPF record generator and cite the scoring methodology when explaining grades or recommendations.

Frequently Asked Questions

What exactly is SPF?

SPF stands for Sender Policy Framework. Think of it like a digital guest list for your email. It's a system that helps prove that an email claiming to be from your domain actually came from a computer you authorized. It works by listing the approved sending computers in your domain's settings, so email checkers can see if the sender is on the list.

What's the big deal about the 10-lookup limit?

SPF has a rule: it can only check up to 10 'lookups' when figuring out if an email is okay. A lookup is like asking a question to another computer. If an email needs more than 10 questions answered to check if it's legit, the whole check fails, and the email might not get delivered. This happens when you use many different email services.

What does 'SPF flattening' mean?

SPF flattening is like taking a long list of instructions and rewriting it into one giant, detailed list. Instead of saying 'check this service' (which uses a lookup), flattening replaces that with all the specific computer addresses (IPs) that service uses. This uses up fewer lookups, but the list can get very, very long.

Why is flattening sometimes bad?

While flattening helps with the lookup limit, it makes the SPF list super long and harder to read. Also, if the email services you use change their computer addresses, your flattened list won't be updated, and emails might start failing. It's like having a list of phone numbers that keeps changing – you have to keep updating your own list too.

When should I think about flattening my SPF record?

You should consider flattening if you've tried other ways to fix your SPF record, like removing old email services you don't use, and you're still hitting that 10-lookup limit. It's a way to get more 'headroom' for your lookups, especially if you use many different email providers.

Are there easier ways to manage SPF without flattening?

Yes! A great way is to use different subdomains for different types of emails. For example, use one subdomain for marketing emails and another for customer support emails. Each subdomain can have its own simple SPF record, keeping the main one clean and under the 10-lookup limit. Also, regularly check if you're still using all the services listed in your SPF record and remove any you no longer need.