Your SPF record has a hard ceiling that most people never notice until mail starts failing: it may trigger no more than ten DNS lookups when a receiver evaluates it. Cross that line and SPF returns a permerror, which many receivers treat as a failure. Legitimate mail can land in spam or be rejected outright.
Before you change anything, check where your domain stands right now:
Reads public DNS only. Nothing is stored unless you save the domain to an account.
Why the ten lookup limit exists
Every include, a, mx, ptr, exists, and redirect term in your SPF record forces the receiver to make a DNS query. The limit in RFC 7208 caps that work at ten lookups so a single message cannot trigger an unbounded chain of queries. The catch is that each include you add can pull in a provider whose own record contains more includes, and those count too. A record that looks short on paper can quietly blow past ten once it is fully expanded.
How to tell if you are over the limit
A scan of your domain reports the expanded lookup count and flags a permerror when you are over. The usual culprits are stacking several senders at once: a mailbox provider, a marketing platform, a helpdesk, an invoicing tool, and a CRM, each contributing two or three lookups.
Three ways to get back under ten
1. Remove senders you no longer use
The fastest win is deletion. Old trial tools and retired platforms often leave an include behind. Every one you remove frees up its lookups. Start here before anything more involved.
2. Switch to the provider recommended record
Some providers publish a heavier default include and a leaner alternative. Check each sender's current SPF guidance, because vendors do update these. Swapping to the recommended term can drop your count without losing any coverage.
3. Flatten with care
Flattening replaces an include with the actual IP ranges it resolves to, which removes the lookups entirely. It works, but it is a maintenance commitment: when the provider changes their sending IPs, your flattened record is wrong until you update it. Flatten only providers with stable ranges, and never flatten a large cloud sender whose IPs rotate often.
Keep the terminating all mechanism strong
While you are editing, confirm the record still ends with -all or ~all. A record ending in +all accepts mail from anywhere and defeats the purpose of SPF. Use -all once you are confident every legitimate sender is covered.
Verify the fix
After you publish the change, wait for DNS to propagate and scan again. The lookup count should read under ten and the permerror should be gone. Recheck any time you add a new sender, since one new include is all it takes to cross the line again.