Free tool

SPF lookup depth.

Count how many DNS lookups your SPF record uses, trace the include chain, and see exactly where you're spending them.

The 10-lookup limit explained

RFC 7208 limits SPF evaluation to 10 DNS lookups per check. Each of these mechanisms or modifiers costs one lookup:

Mechanism

Lookups

Notes

include:

1 lookup per include, plus any nested lookups inside the included record

a / a:

Resolves the A/AAAA record for the domain

mx / mx:

Resolves MX records, then each MX hostname's A record

ptr

Reverse DNS lookup. Deprecated — avoid using

exists:

Checks if the specified domain resolves

redirect=

Replaces the entire SPF evaluation with another domain's record

ip4: / ip6:

No DNS lookup needed — matches directly

all

No DNS lookup needed — always matches

What happens when you exceed 10?

SPF PermError

When the evaluating server hits the 10-lookup limit, it returns a PermError. Most receivers treat this the same as an SPF fail, which can cause your mail to be rejected or sent to spam.

Silent failures

SPF PermError is often silent — you won't see a bounce message. The mail just goes to spam or gets dropped. This is why monitoring lookup count is important.

How to fix it

Remove unused senders, consolidate includes, or use SPF flattening (with caution). See our SPF flattening guide for safe approaches.

Related tools

SPF check — full SPF analysis SPF flattening guide Full deliverability checkup

Stay under the limit

DNS Doctors continuously monitors your SPF lookup count and alerts you before you hit the limit.

See pricing

Learn more

How to fix SPF PermError