How do I fix the MXtoolbox SPF record DNS lookup limit exceeded error?
Summary
What email marketers say11Marketer opinions
Email marketer from EmailQuestions responds it's not a matter of the number of domains, it's a matter of the number of DNS queries that are required to resolve the SPF record. This is why it is essential to review and ensure each 'include' is absolutely necessary. It's also worth noting that each 'include' can itself include further DNS queries, which add to the total count.
Email marketer from MXToolbox states that the simplest solution is to use a dedicated sending domain or subdomain for each vendor. Each should have its own SPF record with ONLY what that vendor requires. You should also avoid using nested includes, such as using Include:vendor2.com in vendor1.com SPF record
Email marketer from domainfactory explains the easiest fix is to use the IP addresses of your mail servers directly instead of the include: statements to reduce the DNS lookups.
Email marketer from SuperUser responds it's always better to use as few includes as possible. But also, you must not include domains that does not send email. Another point to take in consideration: many ESPs allows you to use a subdomain instead of the main domain to send emails, so you can configure a SPF for each one. So, if you can split your ESP to different domains or subdomains, you can create different SPF records.
Email marketer from StackExchange responds you could implement SPF for the subdomain instead of the main domain, which means you could put all the 3rd parties in that record without any issue, however, you must configure your 3rd parties to send email FROM that subdomain rather than your primary domain.
Email marketer from EasyDMARC shares to resolve the SPF 10 DNS lookup limit, you should flatten your SPF record. This involves replacing 'include' statements with the actual IP addresses they resolve to. Be careful to keep the record updated as IP addresses change.
Email marketer from Spiceworks notes that if you're exceeding the limit, chances are you're including services you don't need to include. If you're using different systems that each need their own SPF entries, one trick you can use is to use subdomains for each service and then setup the SPF records for those subdomains accordingly.
Email marketer from StackOverflow advises to review your SPF record and identify redundant or unnecessary 'include' statements. Consolidate or remove any that are not essential for your email sending practices. For example, if a service uses a range of IPs, enter the IP's directly instead of using include, also use CIDR notation where applicable to reduce the amount of IPs used.
Email marketer from dmarcian responds that SPF flattening is a common method, but has limitations. When IP addresses are updated, your SPF records need to be manually updated as well, which can be a maintenance overhead. Also, some DNS providers limit the number of characters allowed in a DNS record so watch out for this
Email marketer from Reddit explains a way to fix the issue is to use subdomains for different email sending services. Each subdomain can have its own SPF record, which helps to keep the DNS lookup count below the limit for each domain.
Email marketer from Reddit shares 'the best way is to remove what you don't need. If you include a domain in your SPF record, you are stating that all servers listed in that domain's SPF record are authorized to send email on behalf of your domain. So you're saying the ESP can send on behalf of your domain - is that really what you want?
What the experts say9Expert opinions
Expert from Word to the Wise explains that SPF checks the domain in the 5321.MailFrom (Return-Path) header, not the From: header the end-user sees. This is important to understand when configuring SPF records, as the alignment between these domains impacts deliverability.
Expert from Word to the Wise explains that a common SPF mistake is using 'include:' statements excessively, which leads to exceeding the 10 DNS lookup limit. She recommends auditing your SPF record to remove unnecessary includes.
Expert from Email Geeks suggests that Sendgrid can probably be pulled from your SPF records too and recommends looking at the 5321.from to determine which to remove.
Expert from Word to the Wise responds 'using a subdomain for marketing mail is an EXCELLENT idea. It gives you so much more control. It's also a good way to divide reputation because stuff that happens on marketing.example.com won't affect transactional.example.com' - she is responding to a questions about limiting the amount of lookups
Expert from Email Geeks explains that many ESPs are giving bad SPF advice.
Expert from Email Geeks shares if HubSpot is using a custom domain, you should have a specific record for what you're using in the 5321.from address, not the base domain, and potentially remove the hubspot include from your TXT record. They then share a link to their article: <https://wordtothewise.com/2022/06/stop-with-the-incorrect-spf-advice/>
Expert from Email Geeks explains that checking which top-level includes are needed and removing the ones that are not needed is the solution to fixing SPF record issues.
Expert from Email Geeks states that the whole “too many lookups “ is generally solved by not publishing SPF for domains other than those in the 5322.from. This is the first time I’ve heard of publishing SPF for a local part.
Expert from Email Geeks explains that you likely don't need to add SPF include records for every ESP or SaaS tool to your root domain.
What the documentation says4Technical articles
Documentation from Google Workspace Admin Help explains that the SPF specification (RFC 7208) limits the number of DNS lookups to 10. This limit is in place to prevent denial-of-service attacks and to ensure timely email delivery. To fix this error, reduce the number of 'include' mechanisms and nested lookups in your SPF record.
Documentation from RFC 7208 specifies that SPF implementations MUST limit the number of mechanisms and modifiers that cause DNS lookups to at most 10 per SPF check, including any lookups caused directly or indirectly by these mechanisms and modifiers.
Documentation from AuthSMTP Support shares that too many includes are commonly caused when using multiple sending providers. You should ensure that you only include the sending providers you actually use in the SPF record. Consider using subdomains to split up SPF records for different services, thus reducing the number of lookups on the primary domain's SPF record.
Documentation from DigitalOcean shares that an SPF record can include a maximum of 10 DNS lookups, including nested lookups from 'include' statements. You can reduce the number of lookups by minimizing the use of 'include' statements, using IP addresses directly, and consolidating SPF records.