Follows every include to count the real DNS lookups against the limit of 10.
Read your SPF record at a glance
An SPF record is a single line of DNS, but every part of it matters. It names the servers allowed to send for your domain and ends with a rule for everything else. Get it wrong — too many lookups, two records, the wrong “all” — and you either break SPF entirely or leave the door open.
The anatomy of an SPF record — version, authorised senders, IP ranges and the terminal “all”.
The 10-lookup limit, properly counted
The most common SPF problem is invisible: exceeding the 10 DNS-lookup limit. Each include, a, mx, ptr and exists costs a lookup — and so do the includes nested inside your providers’ records. A record that looks short can blow the budget once you follow the chain. Our checker resolves the whole tree and shows the gauge, so you see the true count, not a misleading top-level number.
Fixing a PermError
When you’re over the limit: remove includes for providers you no longer use (the usual culprit), drop a and mx if you don’t send from those hosts, and flatten a bulky include into the specific ip4:/ip6: ranges it returns. The generator above helps you assemble a lean replacement.
SPF is necessary, not sufficient
SPF checks the envelope sender and breaks on forwarding, so it can’t stop spoofing of your visible From address on its own. It’s one leg of a tripod with DKIM and DMARC. Run all three — or the all-in-one checker — to see the whole posture.
🛡️ Stuck over 10 lookups? Servnet untangles overgrown SPF records and consolidates your senders cleanly. Ask us →
SPF — common questions
What is an SPF record?
SPF (Sender Policy Framework) is a TXT record at your domain root that lists which mail servers are allowed to send email for your domain. It begins with v=spf1, lists authorised sources as include:, ip4:, ip6:, a and mx mechanisms, and ends with an “all” mechanism that decides what happens to everything else.
What is the SPF 10 DNS lookup limit?
RFC 7208 caps an SPF record at 10 DNS-querying mechanisms — every include, a, mx, ptr, exists and redirect counts, including those nested inside other includes. Exceed 10 and SPF returns a “permerror”, which many receivers treat as a failure. This checker follows every include to count the true total, not just the terms in your top-level record.
How do I fix “SPF too many DNS lookups” / PermError?
Remove unused include: mechanisms (old providers you’ve left behind are the usual cause), drop a and mx if you don’t actually send from those hosts, and “flatten” a heavy include by replacing it with the specific ip4:/ip6: ranges it resolves to. The goal is 10 lookups or fewer, ideally with headroom.
What’s the difference between -all and ~all?
-all is a hard fail: receivers should reject mail from servers not in your record. ~all is a soft fail: such mail is accepted but marked suspicious. ~all is common while you’re still confirming all your senders, but -all is stronger and is what you want once your record is complete and DMARC is in place.
Can I have more than one SPF record?
No. A domain must publish exactly one SPF (v=spf1) record. Two or more is a permerror and SPF is ignored entirely — a surprisingly common mistake when a new provider adds a second record instead of merging into the existing one. The checker flags this.
Does SPF alone stop spoofing?
No. SPF only checks the hidden “envelope” sender, not the From address your recipient sees, and it breaks on forwarding. It’s necessary but not sufficient — you need DKIM and an enforced DMARC policy on top. Use the DMARC and DKIM checkers alongside this one.
Is the SPF generator private?
Yes. The generator builds the record in your browser from the providers, IPs and options you choose — nothing is sent to a server. Publish the result as a single TXT record at your domain root.