FAQ

My SPF record has too many DNS lookups (permerror) - how do I fix it?

SPF allows a maximum of 10 DNS lookups; exceeding it causes a permerror and SPF effectively fails. Use SPF flattening to stay within the limit.

2 min readLast updated 14 June 2026
Jump to section

SPF has a hard limit: evaluating your record may trigger no more than 10 DNS lookups. Every include:, a, mx, ptr, exists, and redirect mechanism counts, and nested includes count too. Go over 10 and receivers return a permerror - at which point SPF effectively fails, taking out one of your two DMARC alignment paths.

Why it happens

Each email vendor you add (include:sendgrid.net, include:_spf.google.com, and so on) can itself expand into several more includes. A handful of vendors quickly blows past 10 lookups even though your record looks short.

How Blankitt DMARC helps

On the Domain detail page, the SPF flattening tool shows:

  • the full recursive include tree - so you can see exactly which includes expand into how many lookups, and
  • a flattened ip4/ip6 version - the same authorised servers expressed as literal IP ranges, which cost zero additional lookups.

Replacing chained include: mechanisms with flattened IP ranges keeps you comfortably under the 10-lookup ceiling.

Example

Before (many nested lookups):

v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org ~all

After flattening (illustrative - use the actual ranges from the tool):

v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.0/24 ip6:2001:db8::/32 ~all

Watch for SPF drift

The catch with flattening is that vendors change their IP ranges over time, so a flattened record can silently go stale. Blankitt DMARC re-checks SPF drift automatically every day and surfaces it on the Domain detail page, so you'll know when a flattened range no longer matches the vendor's current published SPF and needs updating. Changes to your DNS records are also tracked on the DNS Changelog page.

Good practice

  • Remove includes for vendors you no longer use.
  • Prefer flattening for stable vendors; keep include: for vendors that rotate IPs frequently, then watch the drift warnings.
  • Keep a sensible ~all (softfail) or -all (hardfail) at the end - DMARC alignment still depends on the SPF domain matching your From:.

You can validate the result at any time with the free checker at https://blankitt.com/dmarc/check.

Still stuck? Email support or open the support widget in the bottom-right.