SPF Lookup Limits and the Role of SPF Guru: A Technical Perspective

The Problem: SPF’s 10-Lookup Limit

SPF (Sender Policy Framework) lets domain owners declare which IPs may send on their behalf. But there's a catch: a hard limit of 10 DNS lookups. Each include:, a, mx, exists, and redirect= counts toward this.

Exceeding that limit triggers a permerror, often resulting in rejected or unauthenticated email — damaging deliverability and domain reputation.

Why This Happens So Often

Modern domains typically send from several platforms: Microsoft 365, Google Workspace, Salesforce, Mailchimp, and more. Each one adds include: mechanisms — often nested — quickly pushing SPF records over the 10-lookup threshold.

Best Practice: Use Subdomains

The recommended long-term solution is to segment mail by subdomain:

  • mail.example.com → Microsoft 365
  • marketing.example.com → Email marketing platforms
  • alerts.example.com → Transactional mail

This keeps each SPF record simple. But it's not always possible — especially when vendors require use of your root domain or legacy systems limit flexibility.

The Solution: SPF Guru

SPF Guru compresses complex SPF records into just two DNS lookups using macro-based includes:

include:i.%{ir}._d.%{d}.my.spf.guru ~include:f.%{ir}._d.%{d}.my.spf.guru

These macros dynamically generate DNS queries based on the sender’s IP and domain. Example:

Checking for sucess: i.4.3.2.1._d.example.com.my.spf.guru
Checking for a fail: ~f.4.3.2.1._d.example.com.my.spf.guru : the leading qualifier tells the MTA SPF=fails if the IP is present.

NOTE: The domain, example.com is checked by SPF Guru as to whether the records are present, otherwise the response will fail.

How It Works

  1. Macro Expansion: The macros %{ir} and %{d} expand at runtime to build DNS queries for the sender IP and domain.
  2. Single SPF Lookup Backend: SPF Guru’s backend performs a single SPF lookup for the domain, resolving all includes and IPs. Based on the result, it prepares two authoritative responses:
    • i. record: returns pass if the IP is authorised
    • f. record: returns softfail or fail for all others
  3. Short-Circuiting: Since SPF is evaluated left to right, once the i. or f. record matches, no other parts of the SPF record are checked — keeping lookup count at 2.

Why It’s Reliable

  • Always returns a deterministic SPF result — either pass or softfail
  • Only two DNS lookups are ever queried by the receing MTA - even if there are 20+ include: after SPF Guru records.
  • Fully RFC-compliant with macro expansion
  • No changes needed to mail servers or email clients

Conclusion

If you can segment by subdomain, do it. But for real-world constraints — inherited infrastructure, SaaS platform limits, vendor requirements — SPF Guru is the most efficient and compliant path forward.

SPF Guru doesn’t replace best practice — it enables deliverability where best practice can’t be applied.