How do I fix the MXtoolbox SPF record DNS lookup limit exceeded error?

Summary

To resolve the MXToolbox SPF record DNS lookup limit exceeded error, a multi-faceted approach is required. The SPF specification (RFC 7208) limits DNS lookups to 10 to prevent DDoS attacks. Minimizing 'include' mechanisms is key. This involves auditing and removing unnecessary 'include' statements, replacing 'include' statements with direct IP addresses (SPF flattening), and utilizing subdomains for different email streams with separate SPF records. For services like HubSpot and Sendgrid, examine the 5321.from address for proper configuration. It's crucial to authorize only necessary domains and be wary of bad advice from ESPs. Maintenance is required with SPF flattening, and remember that the DNS query count matters, not just the domain count.

Key findings

  • RFC 7208 Limit: The SPF specification (RFC 7208) limits DNS lookups to 10.
  • Reduce Includes: Auditing and minimizing 'include' statements is crucial.
  • SPF Flattening: SPF flattening replaces 'include' with direct IPs.
  • Subdomain Strategy: Using subdomains helps manage reputation and limits root domain lookups.
  • 5321.from Check: Examine the 5321.from for HubSpot/Sendgrid configuration.
  • Authorize Domains: Ensure only necessary domains are authorized.
  • DNS Query Count: The DNS query count is what matters, not just the number of domains.

Key considerations

  • Maintenance: SPF flattening requires ongoing IP address updates.
  • Bad Advice: Be cautious of SPF advice from ESPs.
  • HubSpot/Sendgrid Specifics: Carefully configure HubSpot/Sendgrid to avoid unnecessary 'include' statements.
  • 5321.MailFrom: SPF checks the 5321.MailFrom; ensure proper alignment.
  • DDoS Prevention: The lookup limit prevents DDoS attacks.

What email marketers say
11Marketer opinions

To resolve the MXToolbox SPF record DNS lookup limit exceeded error, several strategies are recommended. The primary approaches include reducing the number of 'include' statements in the SPF record, which can be achieved by removing unnecessary or redundant includes, flattening the SPF record by replacing 'include' statements with direct IP addresses, and utilizing subdomains for different email sending services, each with its own SPF record. It's also crucial to use as few includes as possible, ensuring that only domains actively sending email on your behalf are included, and to be aware of the potential maintenance overhead of flattening SPF records due to IP address changes.

Key opinions

  • Reduce Includes: Review and minimize the number of 'include' statements in your SPF record by removing unnecessary or redundant entries.
  • SPF Flattening: Consider flattening your SPF record by replacing 'include' statements with the actual IP addresses they resolve to.
  • Subdomain Usage: Utilize subdomains for different email sending services, assigning each its own SPF record to distribute the lookup load.
  • Domain Authorization: Ensure that all domains included in your SPF record are authorized to send email on behalf of your domain.
  • DNS Queries: Recognize that the number of DNS queries, not just the number of domains, is what contributes to the lookup limit.

Key considerations

  • Maintenance Overhead: Flattening SPF records requires ongoing maintenance to update IP addresses as they change.
  • Redundancy Avoidance: Avoid including services you don't need to include. Review and optimize SPF records regularly.
  • Subdomain Configuration: If implementing subdomains, ensure that all third-party services are configured to send email from the appropriate subdomain.
  • Direct IP Addresses: Using direct IP addresses can reduce lookups but may require more frequent updates as IP ranges change.
  • Necessity of Includes: Critically evaluate whether each 'include' is absolutely necessary, as each one can trigger further DNS queries.
Marketer view

Email marketer from EmailQuestions responds it's not a matter of the number of domains, it's a matter of the number of DNS queries that are required to resolve the SPF record. This is why it is essential to review and ensure each 'include' is absolutely necessary. It's also worth noting that each 'include' can itself include further DNS queries, which add to the total count.

January 2025 - EmailQuestions
Marketer view

Email marketer from MXToolbox states that the simplest solution is to use a dedicated sending domain or subdomain for each vendor. Each should have its own SPF record with ONLY what that vendor requires. You should also avoid using nested includes, such as using Include:vendor2.com in vendor1.com SPF record

August 2021 - MXToolbox
Marketer view

Email marketer from domainfactory explains the easiest fix is to use the IP addresses of your mail servers directly instead of the include: statements to reduce the DNS lookups.

November 2021 - domainfactory
Marketer view

Email marketer from SuperUser responds it's always better to use as few includes as possible. But also, you must not include domains that does not send email. Another point to take in consideration: many ESPs allows you to use a subdomain instead of the main domain to send emails, so you can configure a SPF for each one. So, if you can split your ESP to different domains or subdomains, you can create different SPF records.

August 2023 - Super User
Marketer view

Email marketer from StackExchange responds you could implement SPF for the subdomain instead of the main domain, which means you could put all the 3rd parties in that record without any issue, however, you must configure your 3rd parties to send email FROM that subdomain rather than your primary domain.

January 2023 - StackExchange
Marketer view

Email marketer from EasyDMARC shares to resolve the SPF 10 DNS lookup limit, you should flatten your SPF record. This involves replacing 'include' statements with the actual IP addresses they resolve to. Be careful to keep the record updated as IP addresses change.

August 2021 - EasyDMARC
Marketer view

Email marketer from Spiceworks notes that if you're exceeding the limit, chances are you're including services you don't need to include. If you're using different systems that each need their own SPF entries, one trick you can use is to use subdomains for each service and then setup the SPF records for those subdomains accordingly.

May 2024 - Spiceworks
Marketer view

Email marketer from StackOverflow advises to review your SPF record and identify redundant or unnecessary 'include' statements. Consolidate or remove any that are not essential for your email sending practices. For example, if a service uses a range of IPs, enter the IP's directly instead of using include, also use CIDR notation where applicable to reduce the amount of IPs used.

June 2021 - StackOverflow
Marketer view

Email marketer from dmarcian responds that SPF flattening is a common method, but has limitations. When IP addresses are updated, your SPF records need to be manually updated as well, which can be a maintenance overhead. Also, some DNS providers limit the number of characters allowed in a DNS record so watch out for this

September 2024 - dmarcian
Marketer view

Email marketer from Reddit explains a way to fix the issue is to use subdomains for different email sending services. Each subdomain can have its own SPF record, which helps to keep the DNS lookup count below the limit for each domain.

February 2022 - Reddit
Marketer view

Email marketer from Reddit shares 'the best way is to remove what you don't need. If you include a domain in your SPF record, you are stating that all servers listed in that domain's SPF record are authorized to send email on behalf of your domain. So you're saying the ESP can send on behalf of your domain - is that really what you want?

March 2021 - Reddit

What the experts say
9Expert opinions

To address the MXToolbox SPF record DNS lookup limit exceeded error, experts recommend several key strategies. Primarily, it's crucial to reduce the number of 'include' statements in your SPF record by auditing and removing unnecessary entries, as excessive use of 'include:' is a common mistake. For HubSpot and Sendgrid, check the 5321.from address to determine if they can be removed or if a specific record for that domain is needed instead of the base domain. Avoid publishing SPF records for domains other than those in the 5322.from. Using subdomains for different email types (e.g., marketing vs. transactional) can also help manage reputation and control, and potentially limit SPF lookups on the root domain.

Key opinions

  • Reduce Includes: Auditing and minimizing the number of 'include' statements is crucial to staying within the DNS lookup limit.
  • Check 5321.from: For services like HubSpot and Sendgrid, examine the 5321.from address to determine the correct SPF record configuration.
  • Subdomain Strategy: Using subdomains for different email streams (marketing, transactional) improves control and can limit SPF lookups on the root domain.
  • ESPs and SPF Advice: Be cautious of SPF advice from ESPs, as some may provide incorrect recommendations.
  • 5321 vs. 5322: Avoid publishing SPF records for domains other than those used in the 5322.from address.

Key considerations

  • HubSpot/Sendgrid Setup: Carefully examine HubSpot and Sendgrid configurations to ensure you're not using unnecessary 'include' statements at the root domain level.
  • Domain Alignment: Understand that SPF checks the 5321.MailFrom header, not the From: header; ensure proper alignment for deliverability.
  • Root Domain Includes: Evaluate each 'include' statement on the root domain to determine if it's truly necessary or if a more specific record or subdomain is appropriate.
  • Bad Advice: Be aware that some ESPs provide bad SPF advice which leads to lookup issues.
Expert view

Expert from Word to the Wise explains that SPF checks the domain in the 5321.MailFrom (Return-Path) header, not the From: header the end-user sees. This is important to understand when configuring SPF records, as the alignment between these domains impacts deliverability.

July 2022 - Word to the Wise
Expert view

Expert from Word to the Wise explains that a common SPF mistake is using 'include:' statements excessively, which leads to exceeding the 10 DNS lookup limit. She recommends auditing your SPF record to remove unnecessary includes.

March 2024 - Word to the Wise
Expert view

Expert from Email Geeks suggests that Sendgrid can probably be pulled from your SPF records too and recommends looking at the 5321.from to determine which to remove.

November 2023 - Email Geeks
Expert view

Expert from Word to the Wise responds 'using a subdomain for marketing mail is an EXCELLENT idea. It gives you so much more control. It's also a good way to divide reputation because stuff that happens on marketing.example.com won't affect transactional.example.com' - she is responding to a questions about limiting the amount of lookups

July 2023 - Word to the Wise
Expert view

Expert from Email Geeks explains that many ESPs are giving bad SPF advice.

October 2021 - Email Geeks
Expert view

Expert from Email Geeks shares if HubSpot is using a custom domain, you should have a specific record for what you're using in the 5321.from address, not the base domain, and potentially remove the hubspot include from your TXT record. They then share a link to their article: <https://wordtothewise.com/2022/06/stop-with-the-incorrect-spf-advice/>

February 2023 - Email Geeks
Expert view

Expert from Email Geeks explains that checking which top-level includes are needed and removing the ones that are not needed is the solution to fixing SPF record issues.

October 2021 - Email Geeks
Expert view

Expert from Email Geeks states that the whole “too many lookups “ is generally solved by not publishing SPF for domains other than those in the 5322.from. This is the first time I’ve heard of publishing SPF for a local part.

June 2023 - Email Geeks
Expert view

Expert from Email Geeks explains that you likely don't need to add SPF include records for every ESP or SaaS tool to your root domain.

May 2022 - Email Geeks

What the documentation says
4Technical articles

Documentation across various sources indicates that the MXToolbox SPF record DNS lookup limit exceeded error arises because the SPF specification (RFC 7208) restricts the number of DNS lookups to a maximum of 10 per SPF check to prevent denial-of-service attacks and ensure email delivery efficiency. To resolve this, the primary recommendation is to reduce the number of 'include' mechanisms and nested lookups in the SPF record. This can be achieved by ensuring that only actively used sending providers are included and by considering the use of subdomains to distribute SPF records, thus reducing the lookup load on the primary domain.

Key findings

  • RFC 7208 Limit: The SPF specification (RFC 7208) enforces a limit of 10 DNS lookups per SPF check.
  • Reduce Includes: Minimizing 'include' mechanisms and nested lookups is essential for resolving the error.
  • Subdomain Usage: Utilizing subdomains can help distribute SPF records and reduce lookups on the primary domain.
  • Active Providers Only: Ensure that only actively used sending providers are included in the SPF record.

Key considerations

  • Nested Lookups: Be aware that nested lookups from 'include' statements contribute to the overall lookup count.
  • DDoS Prevention: The lookup limit is in place to prevent denial-of-service attacks.
  • Efficient Delivery: Adhering to the lookup limit ensures timely email delivery.
Technical article

Documentation from Google Workspace Admin Help explains that the SPF specification (RFC 7208) limits the number of DNS lookups to 10. This limit is in place to prevent denial-of-service attacks and to ensure timely email delivery. To fix this error, reduce the number of 'include' mechanisms and nested lookups in your SPF record.

September 2022 - Google Workspace Admin Help
Technical article

Documentation from RFC 7208 specifies that SPF implementations MUST limit the number of mechanisms and modifiers that cause DNS lookups to at most 10 per SPF check, including any lookups caused directly or indirectly by these mechanisms and modifiers.

March 2025 - RFC Editor
Technical article

Documentation from AuthSMTP Support shares that too many includes are commonly caused when using multiple sending providers. You should ensure that you only include the sending providers you actually use in the SPF record. Consider using subdomains to split up SPF records for different services, thus reducing the number of lookups on the primary domain's SPF record.

August 2021 - AuthSMTP
Technical article

Documentation from DigitalOcean shares that an SPF record can include a maximum of 10 DNS lookups, including nested lookups from 'include' statements. You can reduce the number of lookups by minimizing the use of 'include' statements, using IP addresses directly, and consolidating SPF records.

June 2024 - DigitalOcean