Look up a domain's SPF record and check it against the 10-lookup limit.

SPF breaks silently when a domain publishes duplicate records or nested includes push it past 10 DNS lookups. This lookup shows the record, its mechanisms, and the live lookup count.

How it works

  • The tool queries public DNS over DoH for TXT records starting with `v=spf1`.
  • Include mechanisms are parsed and each nested include is resolved to count total DNS lookups against the RFC 7208 limit of 10.
  • Flattening hints are shown when the record is near or over the limit.

When to use it

  • After adding a new ESP, CRM, or SMTP service to a domain's SPF record.
  • When receivers report SPF permerror or softfail for mail that should pass.
  • Before treating a client domain as ready for inbox provisioning.

Common failure cases

  • Counting only top-level includes and missing the nested lookups inside them.
  • Publishing a second `v=spf1` record instead of merging mechanisms.
  • Assuming a passing SPF record means the domain is ready to send cold email.

Examples

What good and bad signals look like

Healthy record

v=spf1 include:_spf.google.com ~all — 3/10 lookups

One record, a known sender, and plenty of headroom under the lookup limit.

Over the limit

Nested includes resolving to 12 DNS lookups

Receivers may return permerror and treat SPF as failed until the record is flattened.

What to do next

  • Flatten or remove unused includes if the count is near 10.
  • Regenerate a single combined record with the SPF generator if duplicates exist.
  • Run the full DNS checker to confirm DKIM, DMARC, and MX alongside SPF.
Automate SPF checks

Use the API quickstart to run DNS checks as part of readiness workflows.

FAQ

Why does the SPF 10-lookup limit matter for cold email?

Mechanisms like include, a, mx, and redirect each cost a DNS lookup. Past 10, receivers return permerror, which many treat as an SPF failure — a common silent breakage on domains that accumulate senders.

Does GTM Inboxes store domains entered into this lookup?

No. The public tool performs the lookup for the request and does not store submitted domains.