Fix SPF Permerror: Overcome SPF Too Many DNS Lookups Limit

SPF (Sender Policy Framework) is an email authentication protocol that verifies your email senders to confirm their legitimacy. Without SPF records, anyone can send emails on behalf of your domain! It acts as a security checkpoint, verifying if you have authorized a sender to send emails from your domain or if an impersonator is trying to misuse your domain name. 

However, SPF is not perfect! SPF comes with a set of rules and limitations, complying with which can make or break your SPF protocol! One of these is the 10 DNS lookup limit that restricts the number of permitted SPF lookups to 10 per authentication session. Failure to do so leads to SPF permanent errors – more popularly known as SPF Permerror.

What is SPF Permerror?

An SPF PermError (Permanent Error) occurs when there’s a critical issue with the Sender Policy Framework (SPF) record that prevents it from being properly evaluated. This error typically means the SPF record is invalid or misconfigured. Unlike SPF ‘fail’ (a temporary auth failure), Permerror indicates a permanent misconfiguration.

SPF permerror can have a negative impact on your email deliverability, leading to email rejections and spam. It can also reduce DMARC’s effectiveness if you have relied solely on SPF for your DMARC setup.

Simplify SPF Permerror with PowerDMARC!

What is the difference between SPF fail and Permerror?

The difference between SPF fail and Permerror lies in the errors encountered during SPF authentication:

1. SPF Fail: When an email server checks the SPF record of a sender’s domain and determines that the sending server is not authorized to send emails on behalf of that domain, it results in an SPF fail. 

Error type: Temporary error 

Cause: The sender’s IP address or domain is not listed in the SPF record.

Example scenario: An unauthorized third party is trying to send emails on behalf of your domain.

Possible fixes: Ensure the sending server’s IP is included in the SPF record.

2. SPF Permerror: SPF Permerror, short for SPF permanent error, occurs when there is a critical problem with the SPF record that prevents it from being properly evaluated. A Permerror indicates that the SPF record cannot be processed accurately, making it impossible to determine if the sending server is authorized or not. 

Error type: Permanent error 

Cause: Syntax errors, too many DNS lookups, multiple SPF records.

Example scenario: Exceeding the 10 DNS lookup limit for SPF. 

Possible fixes: Using SPF Macros in your record or an SPF Flattening service. 

What Causes SPF Permerror?

SPF Permerror can be caused by a variety of factors, like too many DNS lookups that exceed the SPF limit, syntax errors, and configuration issues. Let’s explore what they are: 

1. SPF Syntax Errors

Incorrect formatting or syntax within the SPF record can trigger a Permerror. Missing or misplaced characters, such as quotes or colons, can lead to parsing issues. These errors can occur due to:

• Missing or misplaced characters, such as quotes (“), and colons (:)
• Incorrectly formatted mechanisms or qualifiers
• Invalid macro definitions

Examples:

Missing colons: v=spf1 include_spf.example.com -all

Misplaced qualifiers: v=spf1 +mx a:mail.example.com -all

2. DNS Configuration Issues

DNS configuration issues involve problems related to the Domain Name System (DNS) setup for SPF records. These issues can include:

• Incorrect or incomplete DNS configuration for the domain or its associated SPF records.
• Invalid SPF record locations, such as pointing to non-existent or incorrect DNS entries.

Example: 

Incorrect or incomplete DNS configuration, invalid SPF record location, or incorrect association with the corresponding domain can lead to evaluation failures.

3. Too Many DNS Lookups

DNS lookup limits are constraints imposed by SPF specifications to prevent excessive DNS queries during SPF evaluation. These limits include:

• A maximum of 10 DNS lookups is allowed during SPF evaluation.
• A maximum of 2 “void” lookups are allowed during SPF evaluation.

Exceeding these limits results in a Permerror.

Example:

An SPF record that includes multiple include mechanisms leading to more than 10 DNS lookups.

Oversized SPF Records

Oversized SPF records occur when the size of the SPF record exceeds the limitations set by the IETF, as outlined in RFC documents. SPF records are limited to 255 characters per string, while TXT records allow up to 512 bytes. Causes of oversized SPF records include:

• Including numerous mechanisms, qualifiers, or modifiers, leading to excessive character count.
• Redundant or unnecessary entries in the SPF record, bloating its size.

Example:

A single SPF record with extensive inclusion of IP addresses, networks, or third-party services.

What is the 10 DNS lookup limit?

The 10 DNS lookup limit is a restriction imposed on Sender Policy Framework (SPF) records, which means that when an email server receives an incoming email, it can only perform up to 10 DNS lookups to retrieve SPF records associated with the sending domain.

This limitation helps prevent excessive DNS queries and potential performance issues during email delivery. If a domain’s SPF record exceeds the 10 DNS lookup limit, some email servers may treat the SPF as invalid or reject the email altogether. Therefore, it is crucial to carefully manage and optimize the number of DNS lookups within an SPF record to ensure proper email delivery and SPF validation.

Why does RFC specify this stringent SPF DNS lookup limit for domains?

While the SPF record limit can appear to be quite an unwanted SPF limitation, it isn’t necessarily so. The SPF DNS lookup limit has been put in place to block Denial-of-Service attacks (as mentioned under RFC 7208).

For example, a threat actor creates an SPF record on a fake domain with reference to a legitimate corporate domain to send emails in bulk to various receiving servers. The 10-lookup limit prevents attackers from overloading receivers with recursive DNS queries (e.g., a malicious SPF record forcing 100+ lookups per email).

How Do Too Many DNS Lookups Impact Your Emails?

If there are too many DNS lookups involved in the SPF record, it can have an unprecedented impact on your emails. Too many DNS lookups can cause inconsistencies in deliverability and trigger SPF Permerror. 

1. May Cause Delivery Delays

Excessive DNS lookups can increase the time it takes to process SPF records. This can cause delays in email delivery, as the receiving server needs to wait for responses from multiple DNS servers.

2. May Lead to Timeout Errors 

DNS lookups involve communication between the receiving server and DNS servers. Too many DNS lookups increase the likelihood of timeout errors, resulting in SPF evaluation failures or prolonged delivery times.

3. May Increase Risk of SPF Permerror

If the SPF record exceeds these lookup limits, it can trigger a Permerror, indicating that the SPF record cannot be processed accurately. The email can be flagged as suspicious or potentially rejected.

4. May Result in Incomplete SPF Evaluation

If the receiving server encounters a DNS lookup limit or timeout error due to SPF too many DNS lookups, it may prematurely terminate SPF evaluation. 

How to Fix SPF Permerror and Overcome 10 DNS lookup Limit?

To resolve SPF Permerror, ensure efficient lookup utilization through SPF flattening so that you can optimize your SPF record to stay under the 10 DNS lookup limit during checks.

1. Fix Permerror by Manually Reducing Lookups

You can replace your SPF “include” and/or “redirect” mechanisms with IP addresses. While this will fix SPF Permerror, it’s not an ideal solution. This is because the length of your record after the long list of IPs is added may exceed the character limit and trigger more errors. 

For instance, consider the following SPF record with multiple “include” mechanisms:

v=spf1 include:_spf.example.com include:_spf.anotherexample.com -all

To reduce DNS lookups, you can replace the “include” mechanisms with IP addresses:

v=spf1 ip4:192.0.2.1 ip4:203.0.113.5 -all

In this example, the domains _spf.example.com and _spf.anotherexample.com have been replaced with their corresponding IP addresses (192.0.2.1 and 203.0.113.5, respectively).

While this manual reduction of DNS lookups can mitigate SPF Permerror, it’s essential to consider potential limitations. One significant concern is the character limit of SPF records. Adding a long list of IP addresses may exceed this limit, leading to additional errors. Therefore, careful planning and optimization are necessary to ensure that the SPF record remains within the allowed character count.

Warning: Manually replacing ‘include’ with IPs is brittle—third-party IPs often change!

2. Fix Permerror Using an Automatic SPF Optimization Tool

A more effective way to avoid SPF errors is to deploy an SPF flattening tool or, better still, SPF Macros. A solution that encapsulates both within an automatic, hassle-free, hosted service is PowerSPF. This not only ensures that you stay within the 10 DNS lookup limit, but it also keeps you updated on any changes made by your email service providers and vendors who often add or change their IP addresses. 

What’s even better is that it takes no more than a few clicks! The steps to use the tool are shown below: 

1. Sign up on PowerDMARC for free

2. Go to Hosted Services > PowerSPF

3. Create your SPF record following the instructions provided by the tool

4. Click to enable the PowerSPF button

5. Publish the PowerSPF custom SPF record on your DNS, following which the “pending” status will convert to an “enabled” status

And you’re done! This is the quickest, easiest, and most effective way to prevent SPF permerror. PowerSPF automates flattening, ensuring compliance and automatic updates when vendors change IPs.

Advanced Strategies for SPF Optimization

SPF flattening is the process of converting multiple “include” statements and other DNS-based lookups into a simplified list of IP addresses. This approach reduces the number of DNS queries during SPF evaluation.

Advantages and Disadvantages of SPF Flattening

1. Removing Invalid or Unused Domain References

Each include statement in an SPF record triggers a separate DNS lookup. If a domain is no longer relevant (e.g., an old email provider that is no longer in use), keeping its include statement unnecessarily consumes lookups, potentially causing SPF validation failures. Removing these statements optimizes the record and improves efficiency.

Steps to Identify and Remove Invalid or Unused Domains

1. Review your SPF record and list all include statements along with domain references.
2. Now check for active usage, identifying which domains are still being used for outbound email.
3. Using SPF Lookup Tools like PowerDMARC’s SPF checker can help check whether an included domain is still valid.
4. Consult your email vendor to verify which include mechanisms are required for current email services.
5. Finally, remove the unused include statements and check your SPF record again to ensure that it’s correct.

2. Avoiding the SPF “ptr” Mechanism

The ptr mechanism in SPF checks if an IP address resolves to a domain name that matches the sender’s domain. However, this approach has several drawbacks. To start off, including the PTR tag can slow down the SPF authentication process as reverse DNS lookups (PTR queries) are time-consuming. It is also rather unreliable, as not all email senders have properly configured PTR records. Most importantly, the IETF has deprecated this mechanism, discouraging its usage due to security risks and inefficiency.

3. Eliminating Redundant Mechanisms

Many SPF records contain duplicate or overlapping mechanisms, such as multiple include statements for the same domain. This redundancy increases SPF complexity and wastes valuable DNS lookups. A way around this is to: 

• Identify duplicates and remove redundant mechanisms.
• Consolidate and merge includes if multiple are pointing to the same domain.
• Avoid excessive usage of “a” and “mx” mechanisms and use them only when needed.
• Finally, always test your SPF record for validity and ensure that your sending sources are up-to-date. 

4. Use ip4 and ip6 Mechanisms 

Unlike include mechanisms, which require additional DNS lookups, ip4 and ip6 mechanisms list IP addresses directly in the SPF record. This eliminates unnecessary DNS queries and ensures faster authentication. 

Fix SPF Errors to Improve Your Email Deliverability

Fixing SPF errors is of the utmost importance due to several reasons. It significantly impacts email deliverability as SPF errors can lead to legitimate emails being marked as spam or rejected by receiving mail servers, resulting in a decreased chance of reaching recipients’ inboxes. Moreover, SPF serves as a vital sender authentication mechanism, enabling email recipients to verify the legitimacy of the sender’s domain. 

By resolving SPF errors, you ensure that your legitimate emails are properly authenticated, reducing the risk of your domain being exploited for email spoofing or phishing attacks. Addressing SPF errors helps safeguard your brand reputation, as consistent delivery failures and spam markings can harm the perception of your brand’s trustworthiness and credibility.

• About
• Latest Posts

Maitham Al Lawati

Cybersecurity Expert, CEO at PowerDMARC

Maitham is a tech entrepreneur, cybersecurity expert, CEO and Founder of PowerDMARC with 15+ years of industry experience. Maitham holds a Global MBA from the University of Manchester and various professional certifications including CISSP, CISM, CRISC, and ISC2 CCSP.

Latest posts by Maitham Al Lawati (see all)

• How to Create and Publish a DMARC Record - March 3, 2025
• How to Fix “No SPF record found” in 2025 - January 21, 2025
• How to Read a DMARC Report - January 19, 2025