I’m confused about how the DNS lookups are counted when dealing with the MX mechanism. The RFC says
When evaluating the "mx" mechanism, the number of "MX" resource records queried is included in the overall limit of 10 mechanisms/ modifiers that cause DNS lookups as described above. In addition to that limit, the evaluation of each "MX" record MUST NOT result in querying more than 10 address records -- either "A" or "AAAA" resource records. If this limit is exceeded, the "mx" mechanism MUST produce a "permerror" result.
It seems clear that a mx mechanism in the SPF record adds one to the DNS count but it is less clear (to me) if querying the DNS to find the records from that MX is added to the count or is it a separate count that also must be no more than 10.
As an example of the problem the spf record for service-now.com is
v=spf1 mx a:b.spf.service-now.com a:c.spf.service-now.com a:d.spf.service-now.com ~all
There are at least 4 terms querying the DNS. Querying the DNS for the MX of service-now.com returns 8 MX records. Is 8 added to the previous 4 or not? If so then this results a permerror, if not then the record is valid.