2026-04-18·7 min readSPFEmail Security

The 10-lookup problem

SPF (Sender Policy Framework) records tell receiving mail servers which IP addresses are allowed to send email on behalf of your domain. Every time your SPF record references another domain with an include: mechanism, that counts as a DNS lookup.

The SPF specification (RFC 7208) imposes a hard limit: a maximum of 10 DNS lookups per SPF evaluation. If your record exceeds this limit, the entire SPF check fails with a permerror, and receiving servers may reject or junk your email.

Why businesses hit the limit

Modern email infrastructure relies on multiple third-party services. Each one adds at least one include: to your SPF record:

Service	Typical SPF Include
Google Workspace	include:_spf.google.com (3 lookups)
Microsoft 365	include:spf.protection.outlook.com (2 lookups)
Mailchimp	include:servers.mcsv.net (1 lookup)
Salesforce	include:_spf.salesforce.com (1 lookup)
HubSpot	include:spf.hubspot.com (1 lookup)
Zendesk	include:mail.zendesk.com (1 lookup)

A company using Google Workspace, Mailchimp, HubSpot, and Zendesk is already at 6 direct lookups. But each include: can contain nested includes, and those count too. It is common to exceed 10 total lookups with just three or four services.

What is SPF flattening?

SPF flattening replaces include: mechanisms with the actual IP addresses they resolve to. Instead of telling receivers "look up Google's SPF record," you list Google's IP ranges directly in your record.

Before flattening:

v=spf1 include:_spf.google.com include:servers.mcsv.net include:spf.hubspot.com ~all

After flattening:

v=spf1 ip4:209.85.128.0/17 ip4:74.125.0.0/16 ip4:35.190.247.0/24 ip4:205.201.128.0/20 ip4:198.2.128.0/18 ~all

The flattened version uses zero DNS lookups because ip4: and ip6: mechanisms do not count toward the limit.

Step-by-step: flatten your SPF record

Step 1: Audit your current SPF record

Use the free SPF Checker to see your current record, the total lookup count, and which includes are consuming lookups.

Step 2: Identify which includes to flatten

Not every include needs flattening. Prioritize:

Services with stable IP ranges that rarely change

Includes that contain nested includes (these consume multiple lookups)

Services you use infrequently but still need authorized

Keep include: mechanisms for services whose IP ranges change frequently, and flatten the rest.

Step 3: Resolve the IP addresses

For each include you want to flatten, resolve the full chain of IP addresses. You can do this manually:

dig TXT _spf.google.com +short

Then recursively resolve any nested includes until you have only ip4: and ip6: entries.

Step 4: Build the flattened record

Combine all resolved IP ranges into a single SPF record. Keep the v=spf1 prefix and your chosen enforcement mechanism (~all or -all).

If the resulting record exceeds the 255-character DNS TXT record limit, split it across multiple strings within the same TXT record, or use multiple SPF records via the include: mechanism pointing to subdomains you control.

Step 5: Publish and verify

Update your DNS TXT record with the flattened version. Then verify it with the SPF Checker to confirm:

The lookup count is within the 10-lookup limit

All legitimate sending services are still authorized

No syntax errors were introduced

Step 6: Set up monitoring

IP ranges change. Google, Microsoft, and other providers update their sending infrastructure periodically. If a provider adds new IP addresses after you flatten, your SPF record will not include them, and email from those new IPs will fail SPF checks.

The maintenance problem

This is the biggest drawback of SPF flattening: it requires ongoing maintenance. When a provider changes their IP ranges, you must update your flattened record. If you do not, legitimate email starts failing authentication.

Options for managing this:

Manual checks: Review your flattened record monthly and re-resolve the original includes to check for changes

Automated flattening services: Third-party tools that monitor upstream changes and update your DNS automatically

Hybrid approach: Flatten only stable providers and keep include: for providers that change frequently

Alternatives to flattening

Multiple SPF subdomains

Instead of sending all email from your root domain, configure third-party services to send from subdomains (e.g., mail.yourdomain.com, marketing.yourdomain.com). Each subdomain gets its own SPF record with its own 10-lookup budget.

Reducing unnecessary includes

Audit which services actually send email on your behalf. Remove any include: mechanisms for services you no longer use. This is often the fastest fix.

Using ip4/ip6 for internal servers

If you have on-premises mail servers with static IP addresses, list them as ip4: entries instead of include: references. This frees up lookups for third-party services.

Common mistakes

Forgetting to update after provider IP changes causes silent email delivery failures

Exceeding the 255-character TXT record limit without proper string splitting causes the entire record to break

Flattening everything including volatile providers creates a maintenance burden that is hard to sustain

Not testing after changes means you may not notice problems until customers report missing email

Key takeaways

The SPF 10-lookup limit is a hard cap in the specification, not a guideline

SPF flattening replaces include: mechanisms with resolved IP addresses to reduce lookup count

Flattened records require ongoing maintenance because upstream IP ranges change

Subdomain delegation is often a more sustainable alternative for complex email setups

Always verify your SPF record after changes with a validation tool

Check your SPF record now

ShareTwitter LinkedIn EmailRSS

Ready to check your domain?

Run all 18 security checks in 2 minutes. Free, no signup required.

Check your SPF record →

SPF Flattening: A Step-by-Step Guide to Fixing Your DNS Lookup Limit