🐙 Check out Postmark's new MCP Server!
Try it out
x
Resolving SPF "Too Many DNS Lookups" Errors | Postmark Support Center

Resolving SPF "Too Many DNS Lookups" Errors

The Sender Policy Framework (SPF) is a standard used to prevent email spoofing. However, SPF has a strict technical limitation that often catches growing businesses off guard: the 10 DNS lookup limit. If your domain's SPF record requires more than 10 lookups to resolve, receiving mail servers will stop looking and may mark your email as "PermError," often leading to your messages being sent to spam.

Why the 10-lookup limit exists

The limit was established as part of the original SPF specification (RFC 7208) to prevent Denial of Service (DoS) attacks. Every time a mail server checks an SPF record, it has to perform a DNS query. If a record contains dozens of nested references, it could force the receiving server to do an enormous amount of work just to verify one email.

How to identify the error

You may notice this issue if your Postmark deliverability reports show authentication failures despite having include:spf.mtasv.net in your record. You can confirm the exact number of lookups you are using by entering your domain into a specialized tool.

Common mechanisms that count toward your limit include:

  • include

  • a

  • mx

  • ptr

  • exists

  • redirect

Note: The ip4 and ip6 mechanisms do not count toward the lookup limit, as they provide specific addresses that do not require further DNS queries.

Strategies to resolve the limit

If you have exceeded 10 lookups, you need to "flatten" or optimize your record. Here are the most effective ways to do it:

1. Remove unused services

Many companies leave old include statements in their records for services they no longer use (e.g., an old marketing platform or a previous help desk). Review every service in your record and remove anything that is not currently sending mail for your domain.

2. Use subdomains for different mail streams

This is the most recommended solution for long-term management. Instead of putting every service on your root domain (example.com), move specific types of mail to subdomains.

  • Transactional (Postmark): pm.example.com

  • Marketing (ActiveCampaign): news.example.com

  • Corporate (Google/Microsoft): example.com

By using a subdomain for Postmark, you give it a completely fresh SPF record with its own 10-lookup limit, separate from your corporate email.

3. Replace "include" with "ip4" addresses

If a service you use provides a list of their IP addresses, you can list those directly using the ip4 mechanism. Because these do not require a DNS lookup, they do not count toward your limit.

Caution: Only do this if the service guarantees their IP range will not change. If they add new IPs and you haven't updated your record, your mail will fail.

4. SPF Flattening

Some DNS providers and third-party tools offer "SPF Flattening." This service automatically takes all the include statements and turns them into a static list of IP addresses. If you use this, ensure the service automatically updates your record whenever the underlying providers change their IPs.

How it looks when resolved

A healthy, optimized SPF record should be concise. After moving Postmark to a subdomain or removing old services, your record might look like this:

v=spf1 include:_spf.google.com include:spf.mtasv.net -all

This record only uses 2 lookups (one for Google and one for Postmark), leaving you plenty of room for future growth.

For more technical details on SPF syntax and mechanisms, visit our guide: https://postmarkapp.com/guides/spf

Last updated January 14th, 2026

Still need some help?

Our customer success team has your back!

Contact Support