Is your SPF record over the 10 DNS lookup limit?

Enter a domain to validate its SPF record and count every DNS lookup the way mailbox providers do, including the ones hiding inside nested includes. More than 10 is a permerror, and your mail silently loses authentication.

Frequently asked questions

What is the SPF 10 DNS lookup limit?
The SPF standard (RFC 7208) allows at most 10 DNS lookups when evaluating a record. Every include, redirect, a, mx, ptr, and exists mechanism costs one lookup, including those inside nested includes. Go over 10 and receivers return permerror, which means SPF permanently fails for your domain.
What does SPF permerror mean?
Permerror means the receiver couldn't evaluate your SPF record at all, most often because it needs more than 10 DNS lookups or the domain publishes multiple SPF records. Mail is treated as unauthenticated, which hurts deliverability even if the record looks complete.
How do I reduce SPF DNS lookups?
Remove includes for services you no longer use, and flatten stable includes into their ip4/ip6 ranges. Each include you remove eliminates its entire subtree of lookups. Some senders can also move to a subdomain with its own SPF record.
What's the difference between ~all and -all?
~all (softfail) asks receivers to treat unlisted servers with suspicion; -all (hardfail) says to reject them. Use ~all while you're still confirming every legitimate sender is in the record, then move to -all. Never use +all: it authorizes the entire internet.