What is a Query Limit (SPF)?
The SPF query limit refers to the maximum number of DNS lookups an SPF (Sender Policy Framework) evaluation can perform. The limit is set at 10 DNS lookups to prevent excessive DNS queries that could slow down message delivery or enable denial-of-service (DoS) abuse. If this limit is exceeded, SPF authentication fails with a “permerror” (permanent error), even if the sending IP is valid.
Each mechanism or modifier in an SPF record that triggers a DNS lookup, such as include, a, mx, exists, or ptr, counts toward this limit. Managing SPF lookups efficiently is essential for maintaining reliable authentication and preventing misclassified messages.
When a receiving mail server validates an SPF record, it processes each mechanism sequentially and performs DNS queries as necessary. For example:
v=spf1 include:_spf.google.com include:mailservice.com include:sendgrid.net -allIf each included domain references additional includes or mechanisms, the total number of lookups can exceed 10, leading to SPF failure even if all IPs are legitimate.
Mechanisms that consume lookups include:
includeamxptrexistsredirectStatic mechanisms like ip4 and ip6 do not count toward the limit.
To stay within the SPF query limit:
DMARCeye automatically detects SPF records that approach or exceed the 10-query limit. Its visual SPF analysis helps organizations identify redundant includes, DNS recursion, and inefficient configurations that could cause validation failures.
By simplifying SPF records and monitoring authentication results, DMARCeye ensures strong email deliverability and accurate DMARC enforcement without exceeding lookup thresholds.
Get a complete overview of who is sending email using your domain, with recommendations for what to do if you detect abuse.
Sign up for a free trial of DMARCeye today and secure your email domain.
To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.