--- title: "“SPF Too Many DNS Lookups” Error – What It Means And How To Resolve The Issue | DuoCircle" description: "Join the thousands of organizations that use DuoCircle Find out how affordable it is for your organization today and be pleasantly surprised.Interested in" image: "https://www.duocircle.com/images/og-default.png" canonical: "https://www.duocircle.com/content/spf-too-many-dns-lookups/" --- Content # “SPF Too Many DNS Lookups” Error – What It Means And How To Resolve The Issue Join the thousands of organizations that use DuoCircle Find out how affordable it is for your organization today and be pleasantly surprised.Interested in [ Talk to an Expert → ](/contact/) [ See what we make ](/products/) ## “SPF Too Many DNS Lookups” Error – What It Means And How To Resolve The Issue Let us understand the concept of error and see how to resolve such issues. [Fix Your SPF Errors Now](/email/spf-record-check) ###### [EMAIL SECURITY SERVICES](/) ###### [PLANS AND PRICING](/email/spf-record-check#pricingarea) ###### [SPF RECORDS](/email/spf-record-check) _A domain must not have [multiple SPF records](/content/spf-too-many-dns-lookups/multiple-spf-records) or the SPF fails with a PermError_. Similarly, If you are concerned that your emails do not get delivered, the problem could lie in the [SPF validation](https://www.autospf.com/). During the investigation, it could throw up the reason, “Permerror SPF permanent error too many [DNS lookups](https://www.google.com/url?q=https://autospf.com/blog/fixing-spf-dns-lookups-quick-tips/&sa=D&source=editors&ust=1698658595205649&usg=AOvVaw0z3r5%5FJdY7lb6I8ylKrQ1C).” It is a standard error encountered in SPF implementations. _Exceeding the 10 DNS lookup SPF limit can affect email deliverability._ This article discusses what exceeding the 10 DNS limit means, its consequences, and how to validate the **SPF record** to prevent the “SPF too many DNS lookups” error. ![multiple spf records](https://media.mailhop.org/duocircle/images/2020/12/spf-setup.png) ### What Is “SPF Too Many DNS Lookups”? _SPF specification has fixed a limit on the number of DNS lookups to resolve an SPF record_. The RFC Specification Document [RFC7208](https://tools.ietf.org/html/rfc7208) specifies that the number of mechanisms and modifiers that do _DNS lookups should not exceed 10 per SPF check_. Generally, the reckless use of the “include” or the “redirect” modifier in an SPF record can result in the DNS lookups going over the 10-limit, thereby causing email deliverability issues. Exceeding the limit can return the error “permerror **SPF permanent error** too many DNS lookups.” ### The Need For The SPF DNS Lookup Limit What is the need to have such a seemingly artificial limit? The answer is that the 10-DNS lookup limit is necessary to thwart threats such as a [DDoS attack](https://aws.amazon.com/shield/ddos-attack-protection/). The below example should clarify the point. 1. A malicious actor creates an **SPF record** on a specific domain “virusfound.com” with numerous references to another domain, “target.com.” 2. Using the “virusfound.com” domain, they send many emails to mailboxes hosted by various email service providers (ESP) with SPF implemented. 3. The ESP queries DNS for “target.com” on receiving such emails. 4. As it involves numerous ESPs, it amplifies the traffic and becomes a DoS attack at “target.com.” _The crucial aspect of the entire chain of transactions is that the attack’s real source remains hidden._ Thus, you can see how a malicious threat actor exploits the **email authentication** mechanism. Hence, fixing up a limit on the maximum number of DNS lookups per check on the ESP side mitigates the risk. By keeping the limit at 10 DNS lookups, the amplification is limited to 10, thus **preventing a DDoS attack**. ### What Is SPF Validation? The SPF validation process provides information about the SPF setup on your domain. _It aims at ensuring that the SPF record is free from errors_. The [SPF validation tool](https://seositecheckup.com/tools/spf-records-test) can show the number of DNS-querying mechanisms. Thus, an _SPF validation check can help check the DNS lookup count_. ### What Will Happen If The SPF DNS Lookup Limit Is Exceeded? If the SPF implementation on the receiving email servers finds more than 10 DNS querying modifiers in the sender’s domain SPF, it returns SPF permerror “too many DNS lookups.” As a result, the sent email might not reach the inbox. ESPs like Gmail send unauthenticated emails to the spam folder, whereas _Microsoft Office 365 blocks such sender domains automatically if they fail SPF authentication_. [![SPF records check](https://www.duocircle.com/wp-content/uploads/2020/12/spf-flatterning-service.jpg)](/wp-content/uploads/2020/12/spf-flatterning-service.jpg) ### How Do You Deal With The “SPF Too Many DNS Lookups” Error? One of the best solutions to deal with this issue is “[SPF record flattening](https://www.autospf.com/#features).” Flattening an SPF record can reduce the number of DNS-querying mechanisms to one. Let us see how SPF record flattening works. 1. Query the DNS for the IP address for each DNS-querying modifier. 2. Replace the original modifier with the IP address. 3. For each such replacement, the total DNS lookup count decreases by 1. 4. After replacing all the mechanisms/modifiers, the total DNS lookup count becomes 1. Thus, it is possible to turn a complicated [SPF record](/email/spf-record-check) containing more than 10 DNS-querying modifiers into a “flat IP address.” ### Does the Flattening Exercise Resolve The Problem Completely? _The flattening technique may not be reliable at all times_. That’s because if the IP addresses underlying one of the “include” mechanisms are changed, it can result in the **flattened SPF record** to go out of sync on those IP addresses. Thus, it will produce incorrect results in the SPF authentication. It can be addressed using ip4 and ip6 mechanisms in the record, as discussed in the next section. ### Use ip4 And ip6 Mechanisms _Replacing the “include” statement with ip4 or ip6 mechanisms can reduce the number of DNS lookups drastically._ The ip4 and ip6 mechanisms are utilized to list a static IP range in the **SPF record**. It helps do away with an “include” statement to reference another domain’s SPF record. ### More Ways To Prevent SPF Too Many DNS Lookups Error Besides the flattening method, here are some other solutions to reduce SPF too many DNS lookups error, as listed below. #### Remove all mechanisms resolving to the same domain. Removing mechanisms from your SPF record that links to the same domain can avoid unnecessary DNS lookups. #### Avoiding ptr mechanisms A [ptr mechanism](https://fundamental.marketing/email-deliverability/why-should-i-not-use-a-ptr-mechanism-in-my-spf-records/) is a DNS record used for linking an IP address to a hostname or domain. SPF specifications recommend not using the ptr mechanism in the SPF record. Using the ptr mechanism can result in multiple DNS lookups, which causes reaching the limit quickly. #### Remove vendor domains and legacy partners It is advisable to remove “include” statements that redirect [SPF checks](/email/spf-record-check) to those who no longer send emails on your behalf. It can reduce DNS lookups. However, the “include” statements could be necessary to redirect SPF checks to the SPF records of vendors/partners that keep changing their IP addresses frequently. The “include” statement ensures that the sender does not need to update the changing IP addresses in their **SPF records**. #### Reference actively sending domains only If the domains you reference links to inactive SPF records, _it is better to remove them to reduce DNS lookups_. Every business entity should use proper [SPF validation](/email/spf-record-check) tools to look out for discrepancies that could affect email deliverability. We have just seen how an [SPF permerror](/content/spf-permerror) can affect email deliverability. Following the tips mentioned in the discussion can reduce occurrences of ‘SPF too many DNS lookups’ instances, thus facilitating successful email delivery. ##### Join the thousands of organizations that use DuoCircle --- Find out how affordable it is for your organization today and be pleasantly surprised. [Auto SPF - Sign Up FREE](/email/spf-record-check)Interested in our Partner Program for MSPs and VARs? Visit Our [MSP Partner Program](/msp-partner-program). ## Ready to talk? Same-day response from someone technical. We tell you yes or no quickly. If yes, we get to work. [Talk to an Expert→](/contact/)[See what we make](/products/) ```json {"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}} ``` ```json [{"@context":"https://schema.org","@type":"WebPage","name":"“SPF Too Many DNS Lookups” Error – What It Means And How To Resolve The Issue","description":"Join the thousands of organizations that use DuoCircle Find out how affordable it is for your organization today and be pleasantly surprised.Interested in ","url":"https://www.duocircle.com/content/spf-too-many-dns-lookups/","speakable":{"@type":"SpeakableSpecification","cssSelector":[".page-answer",".duo-rich-text p:first-of-type"]},"dateModified":"2023-10-30T15:45:10.000Z","datePublished":"2020-12-24T15:08:59.000Z"},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"DuoCircle","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"“SPF Too Many DNS Lookups” Error – What It Means And How To Resolve The Issue","item":"https://www.duocircle.com/content/spf-too-many-dns-lookups/"}]}] ```