Problem
SPF record is set correctly, but SPF hard fails due to too many domain lookups (limit is 10). This is specified in RFC 7208 section 4.6.4. DNS Lookup Limits, if a customer reaches more than 10 then the SPF verdict will always fail and send the mail to the SPAM folder.
Environment
- DNS TXT record for SPF authentication
Solution
- Check nested lookups, which count toward the limit of 10. If your SPF record includes a domain, and that domain includes other domains in its SPF record, those other domains are counted toward your SPF record limit. You can validate this by using Google Admin Toolbox > Check MX tool.
- Customer needs to edit the TXT record for SPF and remove any include mechanisms for third parties that no longer send mail for your domain.
Cause
The RFC Specification Document RFC7208 specifies that the number of mechanisms and modifiers that do DNS lookups should not exceed 10 per SPF check. Exceeding the limit can return the error.
Permerror SPF permanent error too many DNS lookups.