Unfortunately, those lookups can add up fast. For example, Google asks its customers to include the SPF record _spf.google.com in their individual domain SPF records. Looking up the contents of this record in DNS we find that it includes three google.com subdomains.
So a Google customer whose SPF includes the Google-recommended record will actually have a domain lookup count of four — one for the _spf.google.com lookup, and one for each of the three Google subdomains referenced by the first lookup.
Now imagine you want to include the records provided by a number of other email service providers — each of which may have several DNS lookups themselves. The total domain count of the resulting record is just the sum of the individual contributions.
This limit was not a problem when most companies operated their own mail servers. But now that companies utilize third-party senders, and each one takes up 3 or 4 servers, you can max out the 10 lookups pretty quickly.
For example, your company may use Google Apps for Business, Workday, and Zendesk. All of those cloud services include the ability to send email on your behalf, which means you’ll need to add corresponding SPF records for each one. And each of those records may include multiple DNS lookups of their own.
Making matters worse, it’s not obvious when the SPF 10-lookup limit has been exceeded. SPF records consist of a set of rules, each one evaluated sequentially. So if a message is validated by one of the rules defined early in the SPF record, the message will authenticate even though the SPF record as a whole is broken.
Messages which are intended to be authenticated by rules that appear later in the SPF record will fail, because the receiver will stop evaluating the record before it reaches those rules.
As a result, domain owners should try to limit the number of includes in the SPF records for their domains. And email service providers should not recommend or require that domain owners add an ‘include’ directive unless it is absolutely necessary.
Some domain owners try to address this process with domain “flattening”: They replace some of the domain names in the SPF record with the actual IP addresses or ranges for the corresponding servers. This gets around the the lookup limit, but it means that if these servers change IP addresses, someone in the organization has to manually update those IP addresses in the SPF records too. That’s a time-consuming and error-prone process — exactly the problem that DNS was designed to fix.