Beware the SPF 10-record lookup limit
Let’s talk about one of the most annoying quirks in email authentication: the SPF 10-lookup limit. It’s obscure, it’s silent, and if you don’t know it’s there, it can completely wreck your deliverability without so much as a bounceback to warn you.
Welcome to the SPF record’s quiet little disaster zone.
First Off: What Is SPF?
SPF (Sender Policy Framework) is like a guest list for your domain’s emails. It tells receiving mail servers which IPs or services are allowed to send on your behalf.
A basic SPF record looks something like this:
v=spf1 include:sendgrid.net include:_spf.google.com ~allEach include: is a way of saying, “Hey, go check this other domain for more approved senders.” And each one of those can point to more includes or IP ranges.
And here’s the kicker…
The 10-Lookup Limit: SPF’s Most Frustrating Feature
The SPF spec (RFC 7208) sets a hard cap: you get 10 DNS lookups per SPF evaluation. Not 10 entries. Not 10 includes. Ten DNS queries total, including indirect ones.
Go over that limit, and SPF just… stops evaluating. The result? Permanent SPF failure. The receiving server may treat it as spam. Or worse — it might drop your message without a trace.
Here’s how that plays out in the real world.
Real Example: How You Blow the Limit Without Realizing
Say you run a small agency. You use:
- Google Workspace for team emails (
_spf.google.com) - SendGrid for transactional stuff (
include:sendgrid.net) - Mailchimp for marketing (
include:servers.mcsv.net) - HubSpot for CRM emails (
include:_spf.hubspotemail.net) - A VOIP system that sends voicemails via email (
include:voip-provider.com)
Now let’s look closer: each of those includes might pull 3–6 additional lookups. Suddenly, you’re sitting at 12–14 DNS queries — and SPF breaks.
But wait! There’s no red alert. No email service pings you saying “you broke SPF.” Your emails still look like they’re going through. You just get mysteriously lower open rates and zero replies from Gmail users.
What’s the Fix? Flattened SPF
This is where Hosted SPF (also called flattened SPF) steps in like the cool-headed engineer in a disaster movie.
Flattening means resolving all the includes ahead of time and hardcoding the actual IP addresses into a single SPF record. There’s no limit to how many IP addresses you can add, so instead of this:
v=spf1 include:sendgrid.net include:_spf.google.com ~allYou get something that would look like this:
v=spf1 ip4:192.254.112.0/24 ip4:192.254.121.0/24 ip4:149.72.0.0/16 ip4:167.89.0.0/17 ip4:198.21.0.0/21 ip4:208.117.48.0/20 ip4:216.15.128.0/20 ip4:216.18.32.0/20 ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all
Catchy eh? But ZERO DNS lookups. SPF stays under the limit. Deliverability sighs in relief. Kind of.
But Flattened SPF Has a Catch: It Goes Out of Date Fast
IP addresses change. Providers update their infrastructure. A flattened record that worked perfectly in March might break by June.
If you’re doing it manually, you’ve basically signed yourself up for SPF babysitting duty. Every month. Forever.
Or (and here’s a wild idea) you could automate it.
Hosted SPF That Updates Itself
With Quinset Powermail, you don’t just get a one-time flattened record. You get a hosted SPF endpoint. A stable URL like:
v=spf1 include:sshop1zl2m.spf.powermail.quinset.co.uk -allWe take your list of providers, resolve them behind the scenes, flatten the IPs, and serve them from our end. When Mailchimp changes its IPs? We update. When HubSpot shifts its servers? We’ve got it.
No lookup bloat. No broken records. No weird spam-folder mysteries.
TL;DR: If You Care About Deliverability, Fix Your SPF
If you’re using more than two or three email platforms, odds are good you’re already dancing on the edge of SPF failure. And if you’ve got no idea how many lookups you’re using right now, well, that’s a red flag too.
Hosted SPF with Powermail gives you:
- Lookup-free SPF records (aka flattened, but smart)
- Automated updates when services change
- Cleaner, faster DNS responses
- And a whole lot less guesswork
Final Word
The SPF 10-lookup limit isn’t new, but it’s more of a problem than ever, thanks to all the tools we rely on. Flattened SPF isn’t just a fix. It’s table stakes if you care about deliverability.
If you’re curious where you stand, Powermail can scan your domain, flag SPF issues, and get you on a stable, hosted path forward. No babysitting required.
Need help? Contact us and we’ll do the SPF math so you don’t have to.
