SPF's 10-lookup limit, explained by someone who's hit it 100 times
The standards break more domains than any other wingle thing in email authentication
16 Apr 2026
11/15 of the top UK digital marketing agencies had no DMARC policy at all, three had p=none and only one had it right. If that's the state of the agency's email security, imagine how badly configured their clients are!
Last month, I ran a quick DMARC check on the domains of the first fifteen UK digital agencies I pulled from a "top agencies" list.
Eleven of them had no DMARC policy at all. Three had p=none, which is the email security equivalent of leaving your front door open with a sign that says "please close this later." One — exactly one — had it configured properly.
These are agencies that build websites for real clients. Clients who send real invoices. Clients whose email deliverability genuinely matters to their business. And the agencies responsible for their domains hadn't set up the single most important piece of email security infrastructure that exists.
If that's the state of the agencies, imagine the state of their clients.
Email has three authentication layers — SPF, DKIM, and DMARC. SPF says "these IP addresses are allowed to send mail for my domain." DKIM cryptographically signs messages so the recipient can verify they weren't tampered with. DMARC ties the two together and tells recipients what to do when a message fails: nothing, quarantine it, or reject it.
Without DMARC, anyone on the internet can send email as your domain. Not from a spoofed lookalike — literally from your actual domain. Gmail and Outlook have gotten aggressive about flagging these, so the result isn't just "phishing works better." The result is that your legitimate email also gets treated with suspicion, because the receiving server has no way to tell the real you apart from the fake you.
In February 2024, Google and Yahoo started actively requiring DMARC for bulk senders. Microsoft followed in 2025. The rules have teeth now. Domains without DMARC aren't just insecure — they're being actively deprioritised in every major inbox.
You can check any domain right now, without installing anything, without asking the client for access, without touching their DNS.
Open a terminal and run:
dig TXT _dmarc.theirdomain.com
If you see nothing come back, they have no DMARC record. Game over.
If you see a record starting with v=DMARC1; p=none, they have the record but it's in monitoring mode. Nothing is being enforced. Spoofed email still reaches inboxes. They may have set this up two years ago intending to "tighten it up later." They didn't.
If you see v=DMARC1; p=quarantine or v=DMARC1; p=reject, they're in decent shape — but there are still fifteen other ways this can be subtly broken. Missing rua= reporting address. pct=10 meaning only 10% of failures are actually being acted on. External report destinations that haven't been authorised and therefore silently drop every report.
You can check all of this by hand. It takes about 45 minutes per domain if you know what you're doing, which most people don't, which is why most agencies don't.
I built a free audit tool that does the full check in about 10 seconds: DMARC, SPF (including the 10-lookup recursion that breaks most domains without their owners ever knowing), DKIM selector probing across 60+ common senders, MTA-STS, TLS-RPT, BIMI, and MX provider detection. It spits out a letter grade and a list of specific issues with remediation steps.
It's free. No signup for the basic report. No credit card. You can run it on your own domain, your clients' domains, your competitors' domains, your ex-employer's domain. I don't care.
The point of the tool is this: once you see the grades your client portfolio is getting, you're going to want to fix them. That's what I'm selling — the monitoring service that tells you when something changes. The free audit is just proof that there's a problem worth solving.
Try it: dmarcsentinel.com
If you're an agency: run the audit against every active client domain this week. Sort them by grade. Your F-grade clients are the highest risk and the easiest conversation — "your domain is currently exposed to spoofing and your marketing email is being deprioritised; we can fix this in 48 hours for £X."
If you're in-house: run it against your own primary domain, your marketing subdomain (which is probably worse), and any transactional email domains. The transactional one is usually the surprise.
If you're a developer: your personal domain is almost certainly unconfigured. Mine was, in 2019, after 25 years of running email infrastructure professionally. The cobbler's children.
The point isn't that DMARC is hard. It isn't. It's that nobody audits it because nobody thinks to audit it, and the failure mode is silent — the first sign something's wrong is usually a client asking why their invoice email landed in spam, or worse, why someone impersonating them just convinced their customer to wire money to a new account.
Run the audit. Takes sixty seconds. Worst case you confirm everything is fine. Best case you avoid the phone call you really don't want to get.
Jon Morby has run email and DNS infrastructure since the early 1990s. He built DMARC Sentinel after watching too many agencies discover their clients' email was going to spam the hard way.
Founded by Jon Morby, whose team has been running UK servers since 1992. Hosting built by engineers who care about deliverability and uptime.
Get in touch →The standards break more domains than any other wingle thing in email authentication
Three records. Three different jobs. Most guides treat them as a checklist. This one explains what actually happens when each one fails — and why all three must work together.
Most email deliverability problems aren't content problems. They're infrastructure problems — a PTR mismatch, a DMARC policy set to none, a shared IP on a blacklist. Here's what's actually going wrong and what to do about it.