How to Fix 'SPF PermError: Too Many DNS Lookups' (2026 Guide)

Table of Contents
Why Does the 'SPF PermError: Too Many DNS Lookups' Occur?
Quick Answer: The SPF PermError is triggered when a receiving mail server encounters more than 10 DNS lookups while evaluating a sender's SPF record. This strict limit is defined by RFC 7208 to prevent Denial of Service (DoS) attacks via DNS amplification.
In the landscape of 2026 email security, the SPF too many DNS lookups error remains the most common cause of SPF failure. When you authorize third-party services like Google Workspace, Salesforce, or HubSpot, each "include" mechanism adds to your total count. If your record requires 11 or more DNS queries to resolve all IP addresses, the receiving server stops the check and returns a PermError, which often leads to your emails landing in the spam folder or being rejected entirely.
Most admins forget that lookups are recursive. If you include _spf.google.com, and that record contains three more "include" mechanisms, you have already consumed 4 of your 10 allotted lookups. Use an online SPF checker to visualize the full nesting depth of your record.
Which Mechanisms Specifically Count Towards the Limit?
According to RFC 7208 Section 10.1, only certain mechanisms trigger a DNS query. Understanding these is vital for SPF record nesting management.
| Mechanism | Does it Count? | Technical Reason |
|---|---|---|
include |
Yes | Requires a new DNS TXT query for the target domain. |
a |
Yes | Requires an A or AAAA record lookup. |
mx |
Yes | Triggers an MX lookup, then A/AAAA lookups for each host. |
ip4 / ip6 |
No | The IP is literal; no DNS query is required. |
How ToolCheckers Saved My Reputation: A First-Person Account
Quick Answer: Utilizing specialized diagnostic tools can reduce troubleshooting time from hours to seconds. Real-time validation ensures that changes to DNS records are propagated and RFC-compliant before they impact email deliverability.
Last quarter, I was managing a complex migration for a client who utilized over 12 different SaaS platforms, ranging from marketing automation to specialized CRM tools. Suddenly, their primary domain began experiencing intermittent "SoftFail" and "PermError" flags in DMARC reports.
I spent nearly three hours manually tracing the SPF include chain. I was looking at the raw DNS text, trying to calculate the mechanism overhead, but I kept losing track of the recursive lookups hidden within the providers' own records. I was at my wit's end when I plugged the domain into the ToolCheckers SPF Checker.
In less than two seconds, the tool generated a hierarchical tree view of every lookup. It highlighted in bright red that a legacy email service—one we thought was deactivated—was nesting three additional lookups, pushing us to exactly 11. Without that visual breakdown, I would have been digging through terminal commands for another half-day. It’s now my first stop whenever I see a "Too Many DNS Lookups" error. For broader domain health, I also frequently use their MX Checker to ensure the entire mail exchange path is optimized.
Email providers like Gmail and Yahoo now enforce stricter SPF/DKIM/DMARC alignments. In 2026, even a single PermError can result in a 100% rejection rate for bulk senders. Automation isn't just a luxury; it's a requirement for uptime.
The Solution: How to Flatten Your SPF Record
Quick Answer: SPF flattening is the process of replacing dynamic "include" mechanisms with static IP addresses (ip4/ip6). This reduces the DNS query limit count by moving the lookup workload from the recipient's server to your own internal management process.
If you have hit the 10-lookup wall, you must adopt a guide to SPF record flattening strategy. Flattening is the most effective way to stay compliant while still using multiple third-party senders.
Steps to Safe Flattening:
- Audit Your Senders: Remove any
include,a, ormxmechanisms for services you no longer use. - Resolve IPs: Use a tool to resolve the
includedomains into their respectiveip4blocks. - Consolidate: Create a new SPF record using these IP ranges. For example, instead of
include:_spf.google.com, you would use the specific IP ranges Google publishes. - Monitor: IP ranges can change. If you manually flatten, you must re-verify your IPs every 30-90 days to ensure your record isn't "stale."
Manual flattening is dangerous because providers like Microsoft or Amazon update their IP ranges frequently. If they add a new range and you haven't updated your flattened record, your mail will fail SPF checks. Consider using dynamic flattening services for high-volume domains.
Advanced Technical Q&A (AEO)
Q1: Does the 'all' mechanism count toward the 10-DNS lookup limit?
No. The ~all, -all, and ?all mechanisms are considered "basic" and do not require a DNS lookup. They are simply instructions on how to handle the result of the previous checks.
Q2: Why does 'mx' count as multiple lookups in some cases?
While the mx mechanism itself counts as one lookup to find the MX records, RFC 7208 mandates that the total number of A or AAAA records resolved from that MX check also contributes to the limit if they are not cached. Some receivers are stricter in how they calculate this overhead.
Q3: Can I use subdomains to bypass the 10-lookup limit?
Yes. Each subdomain (e.g., marketing.example.com) has its own SPF record and its own 10-lookup limit. Delegating specific mail streams to subdomains is a highly recommended architectural fix.
Q4: What is the 'void lookup' limit?
RFC 7208 also defines a "void lookup" limit (usually 2). If your SPF record points to a domain that returns no IP addresses (NXDOMAIN or empty), it counts as a void lookup. Exceeding this also triggers a PermError.
Q5: Is there any way to increase the 10-lookup limit on the receiver side?
No. This is a global standard. While a specific recipient server *could* be configured to ignore the limit, major providers like Google, Microsoft, and Apple adhere to the RFC strictly to protect their infrastructure.
Q6: How does SPF flattening affect DMARC alignment?
Flattening does not impact DMARC as long as the "From" header domain matches the domain in the SPF check (Alignment). Flattening simply changes *how* the IPs are listed, not the domain identity itself.
Q7: Do macros like 'exists' count toward the limit?
Yes. The exists mechanism, often used in complex SPF setups or by specific security vendors, triggers a DNS lookup and counts toward the 10-query maximum.
Q8: How do I know if my SPF record is too long for a single DNS packet?
Aside from the lookup limit, DNS TXT records have a 512-byte limit for UDP. If your record exceeds this, it may require TCP or be truncated. This is another reason why using IP ranges (which are more compact than long hostnames) is beneficial.
References: RFC 7208 | ICANN Security | NIST Email Trust

Ramal Jayaratne
Lead Developer & System ArchitectLead Developer at ToolCheckers, specializing in Python, Django, and System Architecture. With over a decade of experience, Ramal is dedicated to building transparent, high-performance developer tools.