Your SPF record can be perfectly valid, publish without a single error, and still fail every time it is checked. The reason is a rule most people never learn until it bites them: SPF is allowed at most ten DNS lookups per evaluation, and going over does not degrade gracefully. It fails outright.

In a scan I ran across the top 10,000 domains earlier this year, 1.7% were already over the limit. That sounds small until you realize these are among the most-managed domains on the web, and the number only goes up as a domain adds senders. It is the kind of problem you grow into without noticing.

What the limit actually is

RFC 7208, the SPF spec, caps the number of mechanisms that require a DNS lookup at ten per evaluation (section 4.6.4). The mechanisms that count are include, a, mx, ptr, and exists, plus the redirect modifier. The ones that do not count are ip4, ip6, and all, because they are answered from the record itself without another query.

Cross ten lookups and the evaluation returns permerror. That is not a soft "neutral" result you can ignore. A permerror means SPF produced no usable answer, so it cannot give you a pass. For DMARC that counts the same as a fail, and many receivers treat a standalone SPF permerror as a failure on its own.