SPF too many lookups
The ten-lookup SPF limit is one of the most common reasons otherwise legitimate mail fails SPF. The problem often appears after several SaaS senders have been added over time.
What counts as a lookup
Mechanisms such as include, a, mx, exists and redirect can all generate DNS lookups during SPF evaluation.
Typical symptoms
- SPF permerror in message headers or validation tools
- Mail providers reporting SPF as invalid
- DMARC failing where SPF was expected to align
How to fix it
- Remove unused third-party senders.
- Replace broad mechanisms with explicit IPs where practical.
- Reduce nested includes.
- Consider careful SPF flattening.
- Move some traffic to a different domain or subdomain if needed.
What to avoid
Do not publish multiple SPF records and do not keep stacking services into one record without periodic cleanup. That is usually how the problem starts.