What are the common DNS limitations for email records? (e.g., SPF lookups, TXT record length)

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You've set up SPF, added DKIM, published your DMARC record, and felt good about it. Then someone tells you your SPF is broken because you have too many includes. Welcome to DNS limits, the part of email authentication nobody warns you about until something stops working.

DNS wasn't designed with modern email complexity in mind. It's a lookup system built for speed, and that speed comes with hard constraints. When your email setup runs into those constraints, receiving servers don't try to work around them. They just fail the check.

Here are the limits that actually matter for email senders.

The SPF 10-lookup limit

This is the one that bites people most often. When a receiving server checks your SPF record, it's allowed to make a maximum of 10 DNS lookups to resolve it. Every include:, a, mx, redirect, or exists mechanism that points to another domain counts toward that limit. Go over 10, and the check returns a permerror, which many servers treat the same as a fail.

This is surprisingly easy to hit if you use multiple email services. Each tool you add (your newsletter platform, your CRM, your support tool, your transactional provider) often wants its own include: line in your SPF record. Those includes sometimes pull in their own nested lookups too, and it adds up faster than you'd expect.

TXT record string length

A single DNS TXT string can hold a maximum of 255 characters. If your SPF record or any other TXT record is longer than that, it needs to be split into multiple quoted strings placed inside one record. Most DNS providers handle this automatically, but not all do. If yours doesn't, a record that looks fine in your dashboard might be invalid in practice.

Total TXT record size

And the practical ceiling for an entire TXT record is around 4,096 characters. You're unlikely to hit this with a normal SPF record, but it can come up if you're doing something unusual like embedding very long DKIM keys or storing other large values in DNS.

UDP response size

Traditional DNS responses over UDP were capped at 512 bytes. Larger responses fall back to TCP, which works fine but adds latency and can occasionally cause issues with older or restrictive network configurations. Most modern setups handle this gracefully, but it's worth knowing if you're troubleshooting slow or inconsistent authentication checks.

DNS provider restrictions

Some DNS providers add their own limits on top of the protocol ones. These might include caps on the number of TXT records per domain, restrictions on record length, or character restrictions. If you're hitting a wall that doesn't match the standard limits above, your provider's documentation is the next place to look.

The most common real-world consequence of hitting these limits is an SPF permerror, which can cause legitimate email to land in spam or get rejected outright. It doesn't happen gradually. One new integration that pushes you past the lookup limit can break authentication across your whole sending setup.

If you're not sure where your domain stands right now, our free SPF Checker will count your lookups and flag if you're over the limit. And if you want to understand exactly how the 10-lookup rule works under the hood, the next question covers that in detail.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check your SPF lookup count

I'm setting up or reviewing SPF, DKIM, and DMARC records for my domain and I want to make sure I'm not hitting DNS limits. Based on the services I use (list your ESPs, CRMs, support tools, or any other email-sending platforms), can you: 1) estimate how many SPF DNS lookups I'm likely using, 2) flag which mechanisms are most likely to push me over the 10-lookup limit, and 3) suggest what to do if I'm already over?

Edit the yellow boxes, then send to the AI of your choice.