RFC 7208 caps the cumulative number of DNS lookups in an SPF check at 10. Big senders (Microsoft 365, Google Workspace, Salesforce, Mailchimp) often each consume 3-5 of those 10 on their own through nested includes.
Symptoms
DMARC reports show SPF=permerror or temperror. Some receivers treat this as SPF=fail and DMARC enforcement kicks in even though your record looks valid.
Fix: SPF flattening
Replace nested include: chains with a flattened, IP-direct version that resolves to a few small records. ShieldMarc has a flattener under Tools - paste your record, get a flattened version that fits the 10-lookup limit.
Don't let it go stale
Flattened records become wrong when the upstream sender changes IPs. We re-check daily and email you if any of the IPs you "snapshotted" are no longer in the upstream's published record.