What is the 10 DNS lookup limit in SPF?

RFC 7208 caps SPF evaluation at 10 DNS lookups. The include, a, mx, redirect and exists mechanisms count; ip4, ip6 and all do not. An include for Google or Microsoft 365 can consume several on its own, because it contains others. Exceeding 10 causes a permerror.

Can I have multiple SPF records on my domain?

No. A domain must publish only one SPF record. Publishing two causes a permerror and breaks authentication. If you use several providers, combine their includes into a single record. That is why the generator offers to replace an existing SPF rather than add another one.

What is the difference between ~all and -all in SPF?

~all (softfail) asks recipients to mark unauthorized senders as suspicious without blocking them. -all (fail) asks them to reject. ?all (neutral) gives no instruction: in practice, it protects almost nothing. Start with ~all while you validate, then switch to -all.

How do I configure SPF for Google Workspace or Microsoft 365?

For Google Workspace, the include is _spf.google.com; for Microsoft 365, it is spf.protection.outlook.com. Check the provider in the generator and the include is added in the correct format. Both of these includes contain other includes themselves: the generator resolves the chain to show you their real cost in lookups.

How do I fix the too many DNS lookups error in SPF?

Remove includes you no longer use, replace some includes with their direct IPs (ip4/ip6 do not count), or flatten your record. Our SPF Flattener resolves includes to IPs automatically. The generator shows the real lookup counter to keep you from getting there in the first place.

SPF Record Generator, Valid SPF Record

What the generator actually checks

Many tools just paste includes end to end. Ours goes further: it resolves the configuration in DNS before letting you publish.

In practice, at generation time, it does four things.

First it resolves the include chain in DNS, using the same engine as our SPF syntax checker. An include:_spf.google.com is not a single query: it contains others, which contain others still. The generator follows them all and shows the real lookup count, not a back-of-the-envelope estimate.

Then it counts void lookups. A void lookup is a DNS query that returns nothing: an include for a domain that has disappeared, an NXDOMAIN, an empty response. RFC 7208 section 4.6.4 tolerates 2. The third one triggers a permerror. Many SPF records break because of an old provider whose include no longer resolves, without anyone noticing.

It also looks at your already published SPF. If it finds one, it will not let you stack a second on top (that would be an immediate permerror). It offers to replace the existing one, or tells you nothing changes if the SPF in place is already identical to the result.

Finally, it checks your DMARC. SPF alone leaves gaps; DMARC closes the loop. If a DMARC already exists, the generator offers to verify it; otherwise, to set one up.

Estimate as you type, real count at generation

The form shows a live estimate of DNS lookups while you check your providers. It is fast, based on the catalog, and gives an immediate order of magnitude.

The final result, by contrast, shows the real count after fully resolving the chain. It can be higher than the estimate, because nested includes only become visible once resolved in DNS. A provider that "costs" 1 in the catalog can consume three once its chain is unrolled.

Trust the final figure before publishing. That is the one that counts toward the limit of 10.

Add, replace or no change: what the generator recommends

The generator reads the SPF currently published on your domain, then adapts its instructions.

Detected situation	Instruction	Why
No SPF published	Add a TXT record	The domain is not protected, so a record must be created
An SPF exists and differs	Replace the existing record	Two SPF records on one domain cause a permerror
An identical SPF is already there	No change	No need to republish the same value

The rule to remember fits in one sentence: one domain, one SPF. If you add a provider, you edit the existing record, you do not create a new one.

What is an SPF record?

SPF (Sender Policy Framework) is an email authentication mechanism defined in RFC 7208. It lets a domain declare which servers are allowed to send emails on its behalf.

Without SPF, anyone can write an email pretending to be your domain. With a correct SPF, recipient servers compare the real sender against your authorized list and reject or mark anything that does not match.

Configuring SPF protects your domain against spoofing, improves the deliverability of your legitimate emails, and lays one of the two pillars of DMARC (the other being DKIM). Gmail, Outlook and Yahoo all check SPF: not having it means starting with a handicap.

SPF record syntax

An SPF record is a DNS TXT record that always starts with v=spf1:

v=spf1 include:_spf.google.com include:sendgrid.net ip4:192.0.2.1 ~all

SPF mechanisms

Mechanism	Description	Example	DNS Lookup
`include:`	Includes the SPF of another domain	`include:_spf.google.com`	Yes
`ip4:`	Authorizes an IPv4 address or range	`ip4:192.0.2.1` or `ip4:192.0.2.0/24`	No
`ip6:`	Authorizes an IPv6 address or range	`ip6:2001:db8::1`	No
`a`	Authorizes the IP of the domain's A record	`a` or `a:mail.captaindns.com`	Yes
`mx`	Authorizes the domain's MX servers	`mx`	Yes
`all`	Defines the default behavior	`-all`, `~all`, `?all`	No

Policy qualifiers

Policy	Syntax	Meaning	Recommendation
Fail	`-all`	Reject unauthorized senders	Production, after testing
Softfail	`~all`	Mark as suspicious, without blocking	To start
Neutral	`?all`	No instruction	Not recommended

?all is worth a closer look. When it comes to evaluation, it protects almost nothing: a recipient server treats it much like having no SPF at all. Avoid it, except for the brief window of a diagnostic.

The 10 DNS lookup limit

RFC 7208 caps SPF evaluation at 10 DNS lookups. It is a strict limit: exceeding it causes a permerror and validation failure.

What counts as a lookup

Mechanism	Counts?	Note
`include:`	Yes, plus nested lookups	One include can hide several
`a`	Yes
`mx`	Yes	Plus 1 per resolved MX record
`redirect=`	Yes
`exists:`	Yes
`ip4:` / `ip6:`	No	Prefer these to save lookups
`all`	No

The classic trap: an include that looks harmless. include:_spf.google.com itself contains several includes. That is where the generator's real count makes the difference over a rough estimate.

Supported email providers

The generator knows the main email providers and adds their include in the correct format as soon as you check them. A single search covers the whole catalog, well beyond the common providers shown by default. Here are a few examples among the supported providers:

Provider	SPF Include
Google Workspace	`_spf.google.com`
Microsoft 365	`spf.protection.outlook.com`
Amazon SES	`amazonses.com`
SendGrid	`sendgrid.net`
Mailgun	`mailgun.org`
Brevo (formerly Sendinblue)	`spf.sendinblue.com`
Zoho	`spf.zoho.com`
Mailchimp	`servers.mcsv.net`
Postmark	`spf.mtasv.net`
HubSpot	`spf.hubspot.com`
Salesforce	`_spf.salesforce.com`
Infomaniak	`spf.infomaniak.ch`

Your provider is not in the list? Search its name in the generator: the catalog goes well beyond these few examples.

FAQ - Frequently asked questions

Q: How do I create an SPF record for my domain?

A: Choose your email providers, add your IPs if needed, then select the policy (~all to start). The generator resolves the includes, shows the real DNS lookup count, and tells you whether to add an SPF or replace the one that already exists. Copy the TXT record and publish it in your DNS zone.

Q: What is a void lookup in SPF?

A: A DNS query that returns nothing: an include for a domain that has disappeared, an NXDOMAIN, an empty response. RFC 7208 section 4.6.4 allows at most 2. Beyond that, evaluation fails with a permerror. The generator detects and counts them while it resolves the chain.

Q: Does the generator show the real lookup count?

A: As you type, it is a quick estimate based on the catalog. On generation, it actually resolves the include chain in DNS, using the same engine as our SPF syntax checker. The final count is exact, and sometimes higher than the estimate, because it follows nested includes.

Q: Can the generator detect my current SPF?

A: Yes. It reads the SPF published on your domain. No SPF: it offers to add one. Existing and different SPF: it offers to replace it, never to create a second one. Already identical SPF: no change.

Q: Can I have multiple SPF records?

A: No. One SPF per domain. Publishing two causes a permerror. Combine your providers' includes into a single record.

Q: What is the difference between ~all and -all?

A: ~all (softfail) marks unauthorized senders as suspicious without blocking them. -all (fail) rejects them. Start with ~all while you validate, then switch to -all.

Q: How do I fix the too many DNS lookups error?

A: Remove unused includes, replace some includes with direct IPs (ip4/ip6 do not count), or flatten the record with our SPF Flattener. The generator shows the real lookup counter to keep you from getting there.

Tool	Purpose
SPF Record Check	Verify your published SPF and its validity
SPF Flattener	Flatten your SPF to stay under the 10 DNS lookup limit
SPF Syntax Check	Validate SPF syntax before publishing
DKIM Generator	Create your DKIM keys (RSA/Ed25519)
DMARC Generator	Configure DMARC to complete authentication
Mail Tester	Test your email deliverability

Useful resources

RFC 7208 - Sender Policy Framework (SPF) : official specification, including section 4.6.4 on void lookups
RFC 7489 - DMARC : how SPF integrates with DMARC
Google Workspace - set up SPF : official Google guide
Microsoft 365 - set up SPF : official Microsoft guide

Free SPF record generator

Build a valid SPF record for your email providers

Provider catalog

Resolved DNS lookups

Void lookup detection

Add, replace or no change

A logical next step to DMARC