How to fix the SPF 10 DNS lookup limit (PermError)
// published 2026-04-17
If your SPF record triggers a PermError, there's a good chance you've crossed the 10-lookup ceiling. The limit is baked into RFC 7208 specifically to stop DNS amplification — which means there's no "turn it up" option. You have to design under it.
What counts as a lookup
Each of these adds one to your budget:
include:— costs one lookup plus all of the lookups inside the included record, recursively.aandmx— each costs one (plus MX resolves each mail exchanger's A record, which also counts).ptr— each costs one (and PTR is discouraged anyway; remove it).exists:— each costs one.redirect=— counts as one and replaces the current evaluation.
What doesn't count: ip4:, ip6:, all, +/-/~/? qualifiers, version tag.
The SPF Checker counts lookups against the RFC ceiling for you.
Why big senders blow the budget
A typical small-business SPF looks clean: v=spf1 include:_spf.google.com include:sendgrid.net include:mailchimp.com -all. That's three include:s — fine, right? No. Each include expands:
_spf.google.com— Google publishes 4 nestedinclude:s, so you're at 5 lookups before the other two.sendgrid.net— 2-3 deep last we checked.mailchimp.com— another 2.
That's 10+ already, and you haven't added your own infrastructure.
Four ways to stay under 10
1. Remove unused includes
The cheapest fix: audit what's in your record. Half of most SPFs are old services nobody uses anymore. Every include you remove saves N+1 lookups.
2. Replace includes with IP lists (for stable providers)
If a sender publishes a stable set of IPs, you can inline them as ip4: ranges. This converts a lookup-expensive include into zero-lookup CIDRs. Don't do this for providers whose IPs change frequently — you'll break delivery silently.
3. SPF flattening
A flattening service (e.g. EasyDMARC, Valimail, Dmarcian) maintains a dynamic SPF record on a subdomain and includes that. They resolve the whole tree server-side and publish the result as ip4:/ip6: entries, refreshed hourly. You include one thing; they do the lookup math.
Trade-off: you're now dependent on the flattener's uptime and update cadence.
4. Split sending sources across subdomains
Marketing from news.yourdomain.com, transactional from mail.yourdomain.com, corporate from the apex. Each subdomain publishes its own SPF with a focused include list. This is the cleanest long-term structure but requires your senders to accept different From domains.
What PermError actually does
When SPF evaluation returns permerror, receivers usually treat it the same as softfail — messages still get delivered, but they're scored poorly. Gmail and Microsoft 365 will slowly route more of your mail to spam until you clean it up. Fix it before the reputation hit compounds.
Run the SPF Checker on your domain to count your lookups, flag any unsafe +all, and see the expanded include tree.