Sender Policy Framework (SPF) is an email authentication method that helps protect your domain from spoofing. But sometimes, you might run into an error called SPF Permerror – also known as an SPF permanent error- usually caused by too many DNS lookups in your SPF record.
Why does this matter? Because if your SPF record breaks, your legitimate emails might land in spam folders or get rejected entirely. This can also cause DMARC to fail, affecting your domain’s overall email security and deliverability.
Hit the 10-lookup limit? Here’s what to do. In this blog, we’ll explain what causes this error and walk you through simple ways to fix it.
Key Takeaways
- SPF Permerror indicates that there is a fundamental problem with a domain’s SPF record, preventing accurate evaluation.
- Exceeding the 10 DNS lookup limit can cause severe issues, such as email rejection or classification as spam.
- Syntax errors in the SPF record can lead to Permerror, necessitating careful formatting and verification.
- Oversized SPF records can exceed established character limits, contributing to deliverability issues and potential SPF errors.
- Utilizing SPF flattening tools can help optimize records to prevent Permerrors and enhance email authentication.
What is SPF Permerror?
An SPF Permerror is a permanent error in your SPF record, meaning there’s something wrong with it that stops it from working.
A Permerror result is returned by receiving mail servers when your SPF record has a critical issue that makes it impossible to evaluate, such as incorrect syntax, too many DNS lookups (over the 10-limit), or invalid mechanisms. Unlike a regular SPF “fail” (which means an email didn’t pass authentication), a Permerror indicates that the SPF record itself is broken or misconfigured. This not only affects deliverability but can also weaken your DMARC protection if SPF is the only mechanism you’re using to align your email.
Key Differences: SPF Fail Vs SPF Permerror
SPF Fail | SPF Permerror | |
---|---|---|
What it means | The SPF record was found and evaluated, but the sender is not authorized | The SPF record could not be evaluated due to an error or misconfiguration |
Cause | Sender IP not listed in the domain’s SPF record | Broken SPF syntax, too many DNS lookups, or other critical issues |
Issue Type | Temporary issue (email not authorized) | Permanent error (SPF record is invalid or unreadable) |
Impact | Email may likely be rejected or marked as spam | Email may be rejected or pass through without SPF validation |
DMARC alignment | Can cause DMARC fail if SPF is not aligned | Can break DMARC, especially if SPF is your only aligned mechanism |
Fix | Go through your sender list to authorize legitimate senders | Requires fixing the SPF record to restore functionality |
Why Does SPF Have a 10 DNS Lookup Limit?
You might think the 10 DNS lookup limit in SPF is restrictive, but it’s there for a very good reason.
According to RFC 7208, this limit exists primarily for security and performance purposes. Specifically, it helps protect receiving mail servers from Denial-of-Service (DoS) attacks caused by excessive DNS queries.
Here’s how it could be abused:
A threat actor might create a malicious SPF record that triggers hundreds of DNS lookups by referencing multiple domains or includes. This could be tied to a spoofed domain pretending to be a trusted company. Every time a receiving server tries to validate such an email, it would be forced to resolve all those lookups, slowing down the server or even crashing it.
By capping DNS lookups at 10, SPF helps:
- Maintain email processing performance
- Protect against resource exhaustion attacks
- Improve anti-spoofing reliability by encouraging better SPF record design
What Causes SPF Permerror?
An SPF Permerror can be triggered by several issues, including excessive DNS lookups, syntax errors, misconfigured records, or even overly large SPF entries. Let’s break down the most common causes:
1. SPF Syntax Errors
Incorrect formatting or invalid syntax in the SPF record can lead to a Permerror, preventing proper evaluation.
Common causes:
- Missing or misplaced characters (e.g., quotes ” or colons 🙂
- Invalid or malformed mechanisms or qualifiers (e.g., using include_spf.example.com instead of include:spf.example.com)
- Incorrect macro definitions or unsupported macros
Examples:
❌ v=spf1 include_spf.example.com -all → missing colon in include
❌ v=spf1 +mx a:mail.example.com -all → + qualifier is unnecessary and often misused
2. DNS Configuration Issues
These involve problems with the DNS setup related to your SPF record.
Common issues:
- SPF record pointing to non-existent or misconfigured domains
- Missing SPF records on referenced domains
- Invalid or deprecated DNS record types (e.g., using SPF-type records instead of TXT)
Example:
Your domain references include:spf.partner.com, but spf.partner.com doesn’t exist or lacks a TXT record, leading to SPF evaluation failure.
3. Too Many DNS Lookups
SPF allows only 10 DNS lookups during record evaluation, as defined in RFC 7208, Section 4.6.4. This is a security measure to prevent abuse (e.g., Denial-of-Service attacks) and keep evaluations lightweight.
What counts as a lookup:
- include
- a, mx, ptr
- exists, redirect
Void lookups (queries that return no DNS data) are also limited to 2.
Common cause:
An SPF record with many include: mechanisms or nested includes that collectively exceed the 10-lookup limit.
4. Circular Includes
Circular includes occur when SPF records refer back to each other in a loop, creating infinite resolution cycles.
Example:
- Domain A: v=spf1 include:domainB.com -all
- Domain B: v=spf1 include:domainA.com -all
This circular reference causes SPF evaluation to fail, often resulting in a Permerror.
5. Invalid Mechanisms or Qualifiers
Using unrecognized or deprecated mechanisms in your SPF record can result in a Permerror.
Common mistakes:
- Typos like ip6v instead of ip6
- Unsupported mechanisms such as all:, ptr: used incorrectly
- Using + or ? qualifiers unnecessarily or incorrectly
Example:
❌ v=spf1 ptr:mail.example.com -all → discouraged mechanism
❌ v=spf1 ip4v:192.0.2.0/24 -all → invalid mechanism (ip4v should be ip4)
6. Oversized SPF Records
SPF records must adhere to size limitations:
- Each string in a TXT record must be ≤ 255 characters
- Total TXT record length should not exceed 512 bytes
Causes of oversized records:
- Too many IPs, includes, or mechanisms
- Duplicated or unnecessary entries
Example:
A record like v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.0/24 include:spf1.example.com include:spf2.example.com include:spf3.example.com include:spf4.example.com -all may exceed DNS limits or size constraints.
How SPF Lookup Overload Breaks Your Emails
When your SPF record triggers more than 10 DNS lookups, it can seriously disrupt your email delivery. Here’s what can happen:
- Delivery delays: Email servers may slow down processing while trying to evaluate your SPF record, causing delivery delays.
- Timeout errors: Too many lookups can lead to timeouts during SPF evaluation, causing messages to fail silently or get dropped.
- Rejected emails: Some receiving servers may outright reject or flag emails with SPF Permerror to protect their infrastructure.
- DMARC fails: If your DMARC policy relies on SPF alignment, a failed SPF check can break DMARC and reduce your domain’s trustworthiness.
How to Fix SPF Permerror (Step-by-Step)
Manual Fixes
- Remove Unused include Mechanisms
Go through each include: in your SPF record and check if it’s still necessary. If it’s linked to a service you no longer use, remove it.
- Replace include with IP Addresses (if static)
If an include: just points to a static IP or small IP range, replace it directly with an ip4: or ip6: mechanism to avoid a DNS lookup.
- Eliminate PTR Mechanisms
PTR is discouraged by RFC 7208 due to performance and reliability concerns. Remove it entirely to reduce lookups and avoid errors.
- Consolidate include Domains
Some services (e.g., email platforms or providers) offer multiple SPF entries. Check their documentation, as often they provide a single consolidated include you can use instead of multiple ones.
- Use ip4 / ip6 Where Possible
If you know the IPs of your sending servers, add them directly using ip4: or ip6: instead of relying on mechanisms like MX or A that consume lookups.
Best Practice: Use an Automatic SPF Flattening Tool
Automatic SPF flattening is the process of dynamically converting multiple “include” statements and other DNS-based lookups into a simplified list of IP addresses. This approach reduces the number of DNS lookups during SPF checks.
Manual SPF flattening may seem like a quick fix, but it comes with serious risks. If your email service provider changes their sending IPs, your SPF record won’t reflect the change unless you update it manually. Hence it requires constant monitoring and manual edits to stay compliant. An outdated IP in your flattened record can cause SPF to fail, affecting email deliverability and DMARC alignment.
PowerSPF is our hosted SPF flattening and optimization tool that automates the entire process, so you never have to worry about lookup limits or IP changes again.
- Auto-Updates When Vendors Change IPs: We keep your SPF record updated in real time.
- One-Time Setup: Set it once and forget it. No ongoing maintenance.
- Lookup Count Stays Low: Your SPF record stays lean and compliant with RFC guidelines and restrictions.
FAQs
- Can SPF exceed 10 lookups if needed?
No, SPF is strictly limited to 10 DNS lookups during evaluation, as defined in RFC 7208. Exceeding this limit causes a Permerror, and your emails may be rejected or marked as spam.
- Can I have multiple SPF records?
No. You should setup only 1 SPF record per domain that authorizes all your sending sources for that domain. Multiple records can invalidate all of them, causing errors.
- What’s the safest way to fix Permerror?
The safest way to fix Permerror is to use a hosted SPF solution like PowerSPF to dynamically optimize SPF, with expert support available 24/7.
- Is flattening safe for dynamic IPs?
If your provider uses dynamic IPs, manual flattening can quickly become outdated, causing SPF failures. For dynamic or frequently changing IPs, the safest option is to use a hosted solution which automatically fetches and updates IPs on your behalf.
Final Thoughts
SPF Permerror can impact your deliverability, domain health, and security. Simple efforts like removing redundant mechanisms, replacing mechanisms with IP ranges, and monitoring deliverability can go a long way.
And for organizations who wish to avoid the hassle and save time, there are hosted solutions like PowerSPF. Interested in learning how it works and how it can be transformative for your authentication posture? Schedule a free demo today with one of our in-house experts!
- What Is DMARC? A Simple Guide to Email Protection - July 11, 2025
- How to Read DMARC Reports: Types, Tools, and Tips - July 10, 2025
- How to Create and Publish a DMARC Record - March 3, 2025