SPF PermError: Too Many DNS Lookups
SPF Lookup Limits
SPF records can be complex and may include multiple recursive mechanisms, including include, redirect, and exists. To prevent a mail server from performing too many DNS lookups, SPF records are limited to a maximum of 10 lookups. When the mail server exceeds this limit, it will return a PermError with the message "Too Many DNS Lookups".
v=spf1 include:_spf.google.com include:servers.mcsv.net include:salesforce.com include:mailchimp.com include:hubspot.com include:sendgrid.net a mx include:toomanydomains.com ip4:1.2.3.4/24 ~all
What counts as a lookup?
| Directive | Lookups | Example | Description |
|---|---|---|---|
all | 0 | v=spf1 ~all | Matches all IPs. Used at the end of the record to define the default policy. |
ip4 | 0 | ip4:1.2.3.4 | Matches an IPv4 address or range. |
ip6 | 0 | ip6:2001:db8::1 | Matches an IPv6 address or range. |
a | 1 | a or a:example.com | Matches the A record of the domain. |
mx | 1 | mx or mx:example.com | Matches the MX records of the domain. Must return no more than 10 lookups. |
include | 1 | include:example.com | Recursively evaluates the SPF record of another domain. |
redirect | 1 | redirect=example.com | Replaces the current record with the SPF record of another domain. |
exists | 1 | exists:example.com | Checks if a domain name has an A record. |
ptr | 1 | ptr | Matches the reverse DNS of the connecting IP. Deprecated. |
Recommended Solutions
Audit for unused sources
Audit the allowed sources in your SPF record to ensure that they are necessary and that there are no duplicates. It's very common for organizations to switch email vendors and not remove the old SPF record. If you're able to remove an outdated source, this will resolve the issue in the simplest way possible.
Split Subdomains
Instead of sending all emails from one domain (company.com), split off subdomains for different types of email. For example, you can send marketing emails from
marketing.company.com and transactional emails from transactional.company.com. This will reduce the number of DNS lookups required. Each subdomain will have its own SPF record with its reduced set of sources. This is a common practice for large organizations with multiple email vendors.This also has the added benefit of ensuring the email reputation of each subdomain is independent of the others. If many emails from the marketing team are being sent as spam, it will have a smaller effect on the other domains.
Other Solutions
Use SPF Record Flattening
You can use SPF Record Flattening to flatten the results of multiple SPFs into a single record. This will reduce the number of DNS lookups, but comes with operational complexity. If you're not using an automated solution, your record could be out of date and email will fail to deliver. If you're using an automated solution, you have to trust the provider to keep your record up to date.
Use SPF Macro Vendor
You can use a vendor that supports SPF Macro to flatten the results of multiple SPFs into a single record. This will reduce the number of DNS lookups, but comes with operational complexity. You'll need to work with your SPF vendor to maintain the record, as they will be responsible for updating the record when you add or remove sources.
While minor, the "source of truth" of your organizational policy will be with the vendor, not in the SPF record. If you need to switch vendors, you'll need to work with the new vendor to maintain the record.