What Is an SPF PermError?

Why SPF Has a Lookup Limit

SPF evaluation requires DNS queries. To prevent denial-of-service attacks where a malicious SPF record triggers hundreds of DNS lookups, RFC 7208 limits the total number of DNS-querying mechanisms to 10 per SPF evaluation. Mechanisms that count toward this limit include include, a, mx, redirect, and exists. Nested includes count too.

Common Causes of SPF PermError

Too many lookups: Each SaaS email provider you add (Google, Microsoft, Mailchimp, SendGrid, etc.) adds include statements, each consuming lookups. With nested includes, you can easily exceed 10. Syntax errors: Typos, missing spaces, or invalid mechanisms cause PermError. Multiple SPF records: A domain must have exactly one SPF TXT record. Two or more cause PermError. Void lookup limit: More than 2 lookups that return no records also triggers PermError.

How to Fix SPF PermError

First, check your total lookup count using our SPF Checker. Then reduce lookups by removing unused includes, replacing include mechanisms with direct ip4 or ip6 entries, or using our SPF Flattener to automatically resolve includes into IP addresses.

Frequently Asked Questions

What causes an SPF PermError?

The most common cause is exceeding the 10 DNS lookup limit. Other causes include syntax errors, multiple SPF records on the same domain, and void lookup limits being exceeded.

How do I fix an SPF PermError?

Count your total DNS lookups, remove unused includes, replace include mechanisms with direct IP entries where possible, or use SPF flattening. Ensure you have exactly one SPF record with valid syntax.

What happens when SPF returns PermError?

The receiving server cannot determine if the sender is authorized. Depending on the DMARC policy, the email may be rejected, quarantined, or delivered with reduced trust. PermError effectively breaks SPF authentication for your domain.