---
title: "What is SPF Lookup Limit and How to Fix It? | DuoCircle"
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/resources/what-is-spf-lookup-limit-and-how-to-fix-it/"
---

DuoCircle 

#  What is SPF Lookup Limit and How to Fix It? 

[ Talk to an Expert → ](/contact/) [ See what we make ](/products/) 

## What is SPF Lookup Limit and How to Fix It?

#### What is SPF Lookup Limit and How to Fix It?

[Fix Your SPF Errors Now](/content/spf-permerror)

###### [EMAIL SECURITY SERVICES](/)

###### [PLANS AND PRICING](/email/outbound-smtp#pricingarea)

###### [SPF RECORDS](/email/spf-record-check)

### Preface

Exceeding the 10 SPF lookup limit is a common problem among SPF-compliant domain owners. Once your SPF record reaches the limit, email recipients consider your SPF record invalid, and your domain gets blocked. This limitation can hamper your business reputation by impacting sales, marketing, and PR exercises. 

This blog discusses everything you need to know about SPF permanent error; too many DNS lookups. Read till the end to not miss anything!

![email security](https://media.mailhop.org/duocircle/images/2019/02/email-phishing-protection.png) 

### What is SPF?

SPF stands for Sender Policy Framework, an email authentication protocol that prevents phishing and [spoofing attacks](https://indianexpress.com/article/cities/mumbai/using-e-mail-spoofing-fraudster-dupes-bank-of-rs-9-94-lakh-7429133/) attempted in your business’ name. It works by requiring you to update a list of IP addresses allowed to send emails using your official domain name. These can be the IP addresses of your employees, partners, and third-party vendors. 

![email security](https://www.duocircle.com/wp-content/uploads/2023/04/SPF.jpg) 

SPF allows the recipient’s server to verify if the email is actually coming from the source it’s claiming to be. This is done by **cross-checking the IP address** with the list added to DNS. Since [SMTP](/email/outbound-smtp) or Simple Mail Transfer Protocol imposes no restrictions on the source address for emails, SPF comes into the picture to set a process for the domain owner to spot which IP addresses are permitted to forward emails for a particular domain.

SPF works based on an [SPF record](/email/spf-record-check) added to DNS or Domain Name System that indicates valid email servers. Recipients’ email servers check the TXT SPF record while performing DNS lookup on all inbound emails.

### What is an SPF Record?

SPF record is a DNS TXT record used for performing the usual **email authentication process**. It includes a list of IP addresses and domains authorized to send emails from your official domain. You enter arbitrary text into the DNS to create a record.

Initially, TXT records were created for updating important notices regarding a domain; however, this has evolved to serve a few more purposes. Domain operators use SPF records to prevent [cyberattacks](/email-security/the-rise-in-cyberattacks-impact-of-russia-ukraine-conflict), improve email deliverability, and deploy [DMARC protocol](/email/dmarc).

![office 365 tenant to tenant migration](https://media.mailhop.org/duocircle/images/2021/09/azure-tenant-migration.png) 

### What Does an SPF Record Look Like?

This is what an SPF record looks like: 

**_v=SPF1 a mx ip4:01.02.153.131 include:\_SPF.amazon.com \~all_**

An SPF record always begins with the ‘v=’ element, which indicates the version used. ‘SPF1’ is the most common version understood by mail exchanges. 

### How Does SPF Lookup Work?

SPF lookup is the practice of analyzing the SPF record of your domain against errors, configurations, security risks, and authorized IP addresses. It also enables you to check if an IP address is officially permitted to send emails using your domain.

SPF record lookup assesses registered TXT records in real time and lets you specify an SPF record manually. In addition, an SPF lookup tool helps when you’ve to add a specific domain to your SPF TXT record to start sending official and legitimate emails on your behalf.

However, it has the SPF too many DNS lookups limit that doesn’t allow more than 10 lookups. 

### What is the 10 SPF Lookup Limit?

When you query your DNS, it costs the validator (the recipient’s email system) resources like bandwidth and CPU memory. To stop users from unreasonably overloading the validator, [RFC7208 section 4.6.4](https://www.rfc-editor.org/rfc/rfc7208) has put a limitation of no more than 10 SPF lookups. Note that the DNS query for the SPF policy record isn’t counted towards this limit.

![email security](https://www.duocircle.com/wp-content/uploads/2023/04/spf-lookup.jpg) 

Once you’ve reached the 10 lookup SPF record limit, a validator can’t perform DNS queries. You’ll encounter the SPF permanent error; too many DNS lookups or [permerror errors](/content/spf-permerror). As per the RFC, a DNS query of a hostname found in an MX record shouldn’t generate more than 10 _A_ or _AAAA_ records. When a DNS _PTR_ query generates over 10 results, only the first 10 results are utilized for SPF lookup. 

Using our SPF lookup tool, you can eliminate errors and enjoy non-affected [email deliverability](https://www.campaignmonitor.com/resources/glossary/email-deliverability/).

![office 365 tenant to tenant migration](https://media.mailhop.org/duocircle/images/2021/11/ms-office365-migration-guide.png) 

### What Happens if You Have More Than 10 SPF Lookups?

If you come across the SPF too many included lookups error, then your email messages can **fail SPF inspection**, which can give rise to email deliverability issues and degrade your domain reputation. Email deliverability refers to the possibility of your emails reaching the desired recipients’ mailboxes without getting rejected or being marked as spam. 

You can observe the _Permerror_ through DMARC monitoring, where you can also choose how to manage such emails. You can select one of the policies- **p=none** (no action is taken against the failed emails), **p=reject** (entry of failed emails is rejected from recipients’ mailboxes), and **p=quarantine** (failed emails are marked as spam). 

Recipients’ validators evaluate SPF policy from left to right. The assessing process stops when they find a match on the sender’s IP address. Depending on the sender, a validator may not reach the 10 SPF lookup limit despite the policy requiring over 10 SPF lookups to evaluate fully. This makes it challenging to spot SPF record limit-related email deliverability issues.

![tenant migration](https://media.mailhop.org/duocircle/images/2022/01/O365-Migration-to-O365.png) 

### Is SPF Void Lookup the Same as SPF Record Lookup?

No, these two terms are different. SPF void lookup is when a DNS lookup shows a void or null response during verification. This is a whole different side of SPF errors that you may encounter while deploying and maintaining SPF.

The RFC has set the SPF void lookup limit to 2 to prevent errors in a record that may give rise to the initiation of Denial of Service or [DoS attacks](https://thehackernews.com/2023/03/new-golang-based-hinatabot-exploiting.html).

![dmarc records](https://media.mailhop.org/duocircle/images/2021/12/DMARC-myth.png) 

### How to Fix Too Many SPF Lookups?

You can fix the [SPF with too many DNS lookups](/content/spf-too-many-dns-lookups) error using the **SPF record flattening technique** that optimizes SPF records. It replaces all nested _include_ statements in a record with their corresponding IPs or CIDR ranges. [CIDR](https://en.wikipedia.org/wiki/Classless%5FInter-Domain%5FRouting) stands for Classless Inter-Domain Routing, a group of addresses sharing the same prefix and including the same number of bits. This decreases the number of DNS queries needed for SPF record verification since validators don’t have to query each included domain individually.

SPF record flattening technique minimizes SPF lookup numbers that let emails pass the verification checks despite the original record exceeding the 10 DNS SPF lookup limit. In addition, it also reduces the risk of [SPF record validation failures](/content/spf-validation-failed) occurring because of DNS query timeouts or temporary DNS server issues.

### How to Reduce the Number of Required Lookups?

Mid and large-sized enterprises find it challenging to stay within the 10 SPF lookup limit as the email-sending behavior has changed significantly since 2006, when RFC4408 was deployed. These days businesses use cloud-based platforms within a single domain. Nonetheless, the following techniques can help reduce the number of required SPF lookups.

#### Get Rid of Unused Services

Carefully evaluate your SPF record and see if it has any unused or unrequired services. Check it for the ‘_include’_ tag and other mechanisms displaying domains of inactive services.

#### Remove the Default SPF Values

_v=spf1 a mx_ is the default SPF policy. As A and AAAA records are used for web servers that may not send emails, ‘_a’_ and _‘mx’_ tags aren’t required. 

#### Don’t Use the _PTR_ Mechanism

Experts don’t encourage the use of the _ptr_ mechanism as it’s vulnerable to security threats and isn’t quite reliable. It causes the SPF permanent error; too many DNS lookups problem by requiring more SPF lookups. So, it’s advised to avoid it as much as possible.

![email security](https://www.duocircle.com/wp-content/uploads/2023/04/spf-security.jpg) 

#### Don’t Use the _mx_ Mechanism

The _mx_ mechanism is included for receiving emails and not necessarily for sending them. So, it can be avoided without causing any SPF errors. This helps you stay within the 10 DNS SPF lookup limit. Cloud-based email service users should use the **‘\*\*\*\*_include’_** **mechanism instead**.

#### Use IPv6 or IPv4

IPv6 and IPv4 don’t require additional lookups, helping you stay within the 10 SPF lookup limit. But, you must stay updated and maintain them as they are likely to get erroneous when not reconditioned.

![email security](https://media.mailhop.org/duocircle/images/2021/06/Aggregate-DMARC-Reports.png) 

### Final Thoughts

The 10 SPF lookup limit is set to avoid DoS and other cyberattacks. The attempt also saves validators’ bandwidth, time, and CPU capacity. Deploying and managing SPF can be a tedious and complicated task. That’s why we help you stay within the lookup limit. Reach out to us to improve email deliverability and prevent spoofing attacks attempted by exploiting your system vulnerabilities. 

![email security](https://media.mailhop.org/duocircle/images/2021/12/email-migration-tools.png) 

## Ready to talk?

Same-day response from someone technical. We tell you yes or no quickly. If yes, we get to work.

[Talk to an Expert→](/contact/)[See what we make](/products/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"WebPage","name":"What is SPF Lookup Limit and How to Fix It?","description":"","url":"https://www.duocircle.com/resources/what-is-spf-lookup-limit-and-how-to-fix-it/","speakable":{"@type":"SpeakableSpecification","cssSelector":[".page-answer",".duo-rich-text p:first-of-type"]},"dateModified":"2023-04-20T18:28:06.000Z","datePublished":"2023-04-19T18:29:37.000Z"},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"DuoCircle","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"What is SPF Lookup Limit and How to Fix It?","item":"https://www.duocircle.com/resources/what-is-spf-lookup-limit-and-how-to-fix-it/"}]}]
```