SPF breakage 101: How to beat the 10 lookup limit

TL;DR

The problem: SPF has a hard 10 DNS lookup limit. Exceed it and legitimate emails fail authentication.

Why it happens: Each email service (Google, Microsoft, Salesforce, etc.) adds lookups. Modern businesses quickly hit the limit.

Failed solutions:

• Flattening (manual IP lists) - breaks when vendors change IPs
• Multiple SPF records - violates standards
• Ignoring it - causes deliverability failures

Real solution: Dynamic SPF automatically monitors vendor IP changes and keeps you under 10 lookups without manual work.

Bottom line: Traditional SPF workarounds fail. Dynamic SPF solves the lookup limit permanently.

SPF is deceptively simple, until it isn’t. The protocol caps DNS evaluations at 10 lookups per check. Hit that ceiling (often via nested include: chains from multiple SaaS platforms) and receivers stop evaluating, returning a permanent SPF failure. Intermittent fails follow, DMARC alignment breaks, and deliverability suffers.

Modern stacks grow organically: marketing automation, product notifications, support desks, billing, plus regional relays. Each adds SPF includes. A few acquisitions later and you’re unknowingly over the limit. Result: messages that “sometimes” fail for no visible reason—a nightmare to triage.

1. Reduce depth. Replace deep, vendor-of-vendor includes with published netblocks or dedicated sub-includes where providers support it.
2. Prefer DKIM for alignment. DKIM alignment satisfies DMARC even when SPF breaks due to forwarding.
3. Consolidate senders. Retire dormant services; move low-volume systems behind a single relay.
4. Stage policy changes. Publish DMARC at p=none, fix alignment, monitor, then tighten to quarantine and reject.

Bonus step: Overcome the 10-lookup limit with Red Sift OnDMARC. Our Dynamic SPF provides a reliable SPF lookup limit fix by consolidating records and removing the need for macros.

Note: Not every sender will need an SPF include. Make sure the return path is in your root domain before adding the mechanism as SPF is checked against the return path. If the sender uses a subdomain or a different domain, adding the mechanism to your root domain is a waste of internet bits.

• DMARC reports surface which IPs/services are failing so you prune safely.
• Run live checks before/after DNS changes to avoid propagation-time surprises.

Red Sift OnDMARC includes Dynamic SPF technology that eliminates the 10 DNS lookup constraint without compromising email deliverability or security.[1]

Rather than using traditional SPF records that reference third-party domains (each consuming precious lookups), Dynamic SPF maintains a single, flattened record that Red Sift automatically updates in real-time. The platform continuously monitors all your authorized email services for IP address changes and instantly updates your SPF record when vendors modify their infrastructure.

1. Automated monitoring: Red Sift tracks IP addresses for all your email sending services (Google Workspace, Microsoft 365, Salesforce, HubSpot, etc.) in real-time.
2. Intelligent flattening: The platform converts domain-based SPF includes into IP addresses, dramatically reducing lookup counts while maintaining complete coverage.
3. Proactive updates: When a vendor changes their sending IPs, Red Sift detects it immediately and updates your SPF record automatically, typically within minutes.
4. Zero manual intervention: Unlike traditional SPF flattening that requires constant monitoring and manual updates, Dynamic SPF handles everything behind the scenes.

Organizations can add as many email services as they need without worrying about hitting the 10 lookup limit. Dynamic SPF maintains a single, optimized SPF record that stays under the threshold while ensuring legitimate emails always authenticate properly. No more choosing between email services or risking SPF breakage as your business grows and adds new tools.

This automated approach removes the burden from IT and security teams, who no longer need to manually monitor vendor IP changes or maintain complex SPF configurations.

• Use Red Sift Investigate for quick SPF/DMARC validation across domains.
• Move to OnDMARC to automate sender discovery and keep SPF records lean as teams add tools. The payoff: stable alignment, fewer false positives, and reliable inbox placement.