How to Fix Single Vendor SPF Records That Use Too Many Lookups

Some email services, like Mailgun or Freshdesk, publish SPF records that are extremely complex. These records can require 5 or more DNS lookups just for a single include: statement, quickly consuming your total SPF 10 DNS lookup limit.

When combined with other services like Google Workspace or Microsoft 365, you can easily exceed the limit and trigger an SPF PermError, which causes emails to fail DMARC checks and may result in rejected or spam-filtered messages.

Why Single Vendor Records Cause Problems

Vendors like Mailgun and Freshdesk need to support a large network of sending servers worldwide. Their published SPF records often contain multiple include: statements that expand into several more nested lookups.

Example: The SPF record for Mailgun (include:mailgun.org) can consume 5 or more lookups by itself. Freshdesk is similar, with include:email.freshdesk.com often using 5-6 lookups.

Problem Example

v=spf1 include:mailgun.org include:email.freshdesk.com include:_spf.google.com ~all
  

This record alone may already exceed 10 DNS lookups, resulting in an SPF failure.

The SPF Guru Solution: Drop a Vendor Lookup to Just One

SPF Guru provides a simple way to reduce a single vendor's SPF record to one DNS lookup without replacing your entire SPF strategy.

By appending a small macro to the end of the vendor's domain, SPF Guru dynamically resolves and flattens all of their nested lookups in real-time.

Syntax

._i.%{ir}.my.spf.guru
  

You simply add this to the end of the vendor's domain inside your SPF record.

Mailgun Example

Instead of:

include:mailgun.org
  

Use:

include:mailgun.org._i.%{ir}.my.spf.guru
  

Freshdesk Example

Instead of:

include:email.freshdesk.com
  

Use:

include:email.freshdesk.com._i.%{ir}.my.spf.guru
  

SPF Guru will handle all of the nested SPF records behind the scenes and return a single flattened result.

Putting It All Together

Original record (likely to exceed 10 lookups):

v=spf1 include:mailgun.org include:email.freshdesk.com include:_spf.google.com ~all
  

Optimised record using SPF Guru:

v=spf1 include:mailgun.org include:email.freshdesk.com._i.%{ir}.my.spf.guru include:_spf.google.com ~all
  

Here, Freshdesk is offloaded to SPF Guru, dropping it from 5+ lookups down to just 1. The rest of your SPF record remains unchanged, giving you maximum flexibility.

Why This Method Works

• ✅ Targets a single vendor domain — you don’t need to move your entire SPF record to SPF Guru.
• ✅ Drops even the most complex vendor SPF from 5+ lookups to 1.
• ✅ Prevents SPF PermError by staying under the 10 lookup limit.
• ✅ Works with any service that publishes a TXT SPF record.

Example Vendors With Complex SPF Records

• Mailgun (include:mailgun.org)
• Freshdesk (include:email.freshdesk.com)
• Zendesk (include:mail.zendesk.com)
• HubSpot (include:spf.hubspotemail.net)
• Salesforce (include:_spf.salesforce.com)

Any of these can be optimised by appending ._i.%{ir}.my.spf.guru to their domain in your SPF record.

When to Use This Approach

This solution is perfect when:

• You only have one or two problematic vendor records causing SPF failures.
• You don’t want to depend on SPF Guru for your entire SPF record.
• You want a lightweight, easy fix without completely rearchitecting your SPF strategy.

SPF Guru acts as a helper for just those vendors that would otherwise push you over the limit.

Final Thoughts

SPF lookup limits are one of the most common causes of SPF PermError issues. By selectively optimising complex vendor records with SPF Guru, you can keep your SPF record simple, compliant, and reliable.

Even if your SPF record includes multiple services like Google, Microsoft 365, Mailgun, and Freshdesk, you now have a clear path to stay under the limit without sacrificing functionality.

Try it today, and take back control of your email deliverability.