How important is the 10 DNS lookups limit on SPF records?
Summary
What email marketers say7Marketer opinions
Email marketer from StackOverflow responds that exceeding the 10 DNS lookup limit causes an SPF 'permerror' and advises checking how many lookups you have, and flattening your record if required. If you can't flatten the record, try other authentication methods like DKIM to reduce dependence on SPF alone.
Email marketer from scotthelme.co.uk explains the 10 DNS lookup limit and suggests that exceeding it is a very bad idea. Scott Helme explains that mail servers will stop evaluating your SPF record the moment the 10 lookup limit is breached, and typically reject your emails due to SPF failing to pass. The best approach is to stay well below the limit.
Email marketer from Mailhardener responds that the 10 DNS lookup limit in SPF records is crucial, as exceeding it leads to SPF failing. Mailhardener explains that this failure negatively impacts email deliverability and recommends keeping the number of lookups below the limit by using tools to flatten the record.
Email marketer from Email Geeks advises against manual flattening of SPF records, as the included IPs may change without your knowledge. Instead, check the hosting provider's SPF record for unnecessary lookups that can be avoided. Hagop K. shares the hosting providers often include Google IPs that you may not be using.
Email marketer from StackExchange shares that exceeding the 10 DNS lookup limit in SPF records will cause the SPF check to return a 'permerror,' resulting in the email failing SPF authentication. Steve Black recommends flattening the SPF record to avoid exceeding the limit and improve deliverability.
Email marketer from Reddit advises that exceeding the 10 DNS lookup limit will cause your SPF record to fail and suggests using tools to flatten the record. Flattening combines all includes into a single record that is less than 10 lookups.
Email marketer from Reddit shares that a broken SPF record due to exceeding the 10 lookup limit can lead to deliverability issues, with some providers rejecting emails outright, and others sending them to spam folders. Therefore, it's important to test that SPF records are valid and under the 10 lookup limit.
What the experts say4Expert opinions
Expert from Spam Resource explains that you have to stay under 10 DNS lookups within your SPF record, or it won't work. It is recommended to flatten the SPF record by manually doing the lookups and putting in A records instead of includes. This avoids any possible DNS lookup issues.
Expert from Word to the Wise responds that with SPF, you must make sure you're under the 10 DNS lookup limit. Laura Atkins recommends working with your providers to manage the includes, and understanding what DNS lookups each include is contributing to the overall count. If you can't keep it under 10, you have to flatten the SPF record.
Expert from Email Geeks responds that some recipients will be more strict than others to the RFC requirements on SPF records.
Expert from Email Geeks explains that exceeding 10 terms that involve DNS lookups in an SPF record (not the same as ten DNS queries) means the mail is not SPF authenticated according to the specification. Some recipients treat it strictly, while others don't.
What the documentation says3Technical articles
Documentation from SPF-record.com explains that the SPF standard dictates a limit of 10 DNS lookups. Exceeding this limit can cause SPF authentication to fail, as receiving mail servers are likely to ignore SPF results from records exceeding the limit. This can negatively impact email deliverability.
Documentation from dmarcian shares that SPF has a hard limit of 10 DNS lookups. This limit includes any nested lookups from 'include:' mechanisms. Exceeding this limit will cause the SPF check to fail. This happens because SPF queries are resource intensive, and too many queries could lead to denial-of-service issues and slow email processing.
Documentation from AuthSMTP responds that SPF records should not exceed 10 DNS lookups, as this is a common limitation that can cause authentication failures. AuthSMTP indicates that exceeding the limit can also cause temporary errors due to DNS timeouts or server load, affecting email delivery.