What is the “SPF too many DNS lookups” error?

Your SPF record might return an error called an “SPF PermError” to inquiring email servers if you have more than 10 lookups

In an SPF record, a lookup is required for any of the following SPF mechanisms: a , mx , include , or redirect.

That’s because each of these mechanisms requires the inquiring email server to do another DNS lookup.

The a and mx mechanisms will do one extra lookup to find the IP addresses associated to the corresponding a and mx records.

The include mechanism will do at least one extra lookup. Since include points to another SPF record, any lookups required in those records also count toward the 10 lookup limit as well. And if those SPF records also have include mechanisms…you get the point.

By the way, this nested counting applies to redirect to, but if you have a redirect mechanism, that should be the only directive in your entire SPF record.

The good news is that if you’ve already looked up an SPF record via the include mechanism, and later on it’s listed again (either on that same SPF record or—more likely—within an included SPF recorded), it won’t count twice. The email server should skip that lookup since it already did it earlier in the chain.

Some people make the mistake of thinking that if their SPF record contains less than 10 unique a, mx, and include mechanisms, they’re OK. That’s not true! Again, the total is the aggregate of the lookup counts for any included SPF records as well.

Then, how can you verify your SPF record is under the 10 lookup limit and avoid the SPF PermError? You can use a tool like the one I made for DnsDigest here. It’s free, un-walled, and there are no ads to close.

https://www.dnsdigest.com/spf/too-many-lookups (COMING SOON!!!!)

This will also check for any other common errors with your SPF record as well. I hope it helps!