RSS

SPF Flattening and the 10-Lookup Limit: How to Fix Too Many DNS Lookups

meysamazad1 pts0 comments

SPF Flattening: Fix Too Many DNS Lookups (2026) | DMARCguardSkip to main content<br>19 min readShare

SPF Flattening and the 10-Lookup Limit: How to Fix Too Many DNS Lookups<br>Out of 5,499,028 domains we scanned in our SPF Supply Chain Study, 148,655 exceed the SPF 10-lookup limit . That is 4.8% of all SPF-enabled domains running with broken email authentication right now. SPF flattening is the most commonly recommended fix, but it is not always the right one.<br>Every include: mechanism in a Sender Policy Framework DNS TXT record triggers a DNS lookup. Add enough email services and the record silently breaks, returning PermError and failing deliverability for every message from your domain. There is no bounce notification on the sending side. The only evidence is missing mail and failing DMARC reports.<br>This guide covers exactly which mechanisms cost lookups, how to count yours, and five ways to fix the problem — from the fastest fix to the most sustainable approach.

Each include mechanism costs DNS lookups. Exceed 10 and the entire SPF record fails.What Is the SPF 10 DNS Lookup Limit?<br>RFC 7208 Section 4.6.4 mandates a maximum of 10 DNS-querying mechanisms per SPF evaluation. The purpose is to prevent SPF from being abused as a denial-of-service amplification vector — without this cap, a single email could trigger hundreds of recursive DNS queries.<br>Not every SPF mechanism costs a lookup. The SPF lookup limit applies only to mechanisms that require a DNS query. ip4:, ip6:, and all do not trigger DNS queries and are exempt from the limit. This is a common misconception: many administrators believe all mechanisms count, but replacing a DNS-querying include: with an equivalent ip4: address removes it from the lookup budget entirely.<br>Here is the complete cost breakdown:<br>Mechanism / ModifierDNS LookupsNotesinclude:1 + nestedEach include triggers 1 query plus its treea / a:1A/AAAA querymx / mx:1 + per-MXMX query + A query per MX hostptr1Deprecated by RFC 7208; costs 1+exists:1Single A queryredirect=1 + nestedReplaces entire SPF evaluationip4: / ip6:0 No DNS query neededall0 No DNS query needed

SPF Mechanism DNS Lookup CostThe include: mechanism deserves special attention. Each include: costs 1 lookup plus every lookup in the included record. An include pointing to a provider with 3 nested includes costs 4 lookups total, not 1. This recursive counting is what makes the 10-lookup limit so restrictive in practice.<br>For a detailed comparison of the ~all and -all qualifiers and when to use each, see our guide on SPF softfail vs hardfail.<br>The Void Lookup Limit Most Admins Miss<br>RFC 7208 Section 4.6.4 defines a second, less-known limit: a maximum of 2 void lookups . A void lookup is any DNS query that returns NXDOMAIN (domain does not exist) or NODATA (domain exists but has no matching record). The RFC uses SHOULD language for this limit, while the 10-mechanism limit uses MUST — but in practice, most major receivers enforce both.<br>Exceeding 2 void lookups triggers PermError — the same result as exceeding the 10-lookup limit. Void lookups and mechanism lookups are tracked independently, but they overlap: every void lookup also counts as 1 of the 10 mechanism lookups.<br>The most common cause is stale include: entries pointing to a decommissioned provider domain. When that domain returns NXDOMAIN, it counts as a void lookup. Two such stale includes exhaust the void budget immediately.<br>Trend Micro documented this exact scenario in KB article KA-0017579. After migrating from their old Hosted Email Security (HES) to TMEMS, customers who retained include:spf.hes.trendmicro.com in their SPF records experienced email bounces. The deprecated DNS entry returned an empty result, triggering a void lookup PermError. Removing the single stale include resolved the issue.<br>How Common Is This Problem?<br>The SPF 10-lookup limit is not a theoretical edge case. DMARCguard’s SPF Supply Chain Study (2026) scanned 5,499,028 domains from the Tranco Top Sites list and walked every SPF include chain to count actual DNS lookups. Of 3.1 million SPF-enabled domains, 148,655 (4.8%) exceed the 10-lookup limit . These domains risk PermError on every email they send.<br>The underlying cause is a supply chain risk: include is 32.3% of all SPF mechanisms — the most common DNS-querying mechanism by a wide margin. The top 5 email providers control 44.8% of the email supply chain, meaning a handful of include: additions can consume the entire budget.<br>148,655 domains exceed the SPF lookup limit<br>Our scan of 5.5 million domains found 148,655 with SPF configurations that exceed the 10-DNS-lookup limit defined in RFC 7208 Section 4.6.4. These domains risk PermError on every email they send. Read the full study.

Our scan also found 41,728 domains still using the deprecated ptr mechanism , wasting lookups on a mechanism that RFC 7208 explicitly discourages.<br>Vendor-reported data from AutoSPF (Apr, 2026) found that 41% of SPF failures across 187 fast-growing domains were caused by...

lookup limit lookups include mechanism domains

Related Articles

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times

PopuLoRA: Co-Evolving LLM Populations for Reasoning Self- Play

AMavorParker8 ptstasks model training self populora play

Old Reddit Is Down

Crunsher7 ptsdata autoplay videoplayerelement comments function false

The ultimate female fantasy – A feminist critique of Beauty and the Beast

muge6 ptsbeast story paglia beauty older butler
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.