SPF PermError: What It Means and How to Fix It
Learn what SPF PermError means and how to fix it. Covers multiple SPF records, the 10 DNS lookup limit, syntax errors, and more.
Last updated: 2026-05-04
An SPF PermError is one of the worst outcomes your email authentication can produce. Unlike a SoftFail, which gives receiving servers some flexibility, a PermError means your SPF record is fundamentally broken and cannot be evaluated at all. The result is that most receiving servers treat it as an authentication failure, which can send your emails straight to spam or get them rejected.
This guide explains every common cause of SPF PermError and walks you through fixing each one. For a broader overview of SPF configuration, see our complete SPF guide.
What SPF PermError Means
When a receiving email server checks your SPF record, it follows rules defined in the SPF specification (RFC 7208). If something in your record violates those rules in a way that makes evaluation impossible, the server returns a PermError — short for "permanent error."
Unlike a TempError (which might resolve on its own after a DNS timeout), a PermError keeps happening on every email until you fix the underlying problem.
PermError is worse than SoftFail
A SoftFail (~all) still lets receiving servers make a judgment call. A PermError gives them no useful information — your SPF record is simply broken. Many servers treat PermError the same as a hard fail, meaning your emails are more likely to be rejected or filtered to spam.
Check Your SPF Record for Errors
Start by looking at what your SPF record currently says. The checker tool below will identify PermError causes automatically.
Common Causes of SPF PermError
1. Multiple SPF Records on the Same Domain
This is the single most common cause of PermError. The SPF specification (RFC 7208 Section 3.4) requires exactly one SPF record per domain. If your DNS has two or more TXT records that start with v=spf1, every SPF check will return PermError.
How it happens: You add a new email service and create a new SPF record instead of editing the existing one. Or a hosting provider automatically creates an SPF record that conflicts with the one you already have.
Wrong — two separate records:
v=spf1 include:_spf.google.com ~all
v=spf1 include:mail.zendesk.com ~all
Correct — one combined record:
v=spf1 include:_spf.google.com include:mail.zendesk.com ~all
2. Exceeding the 10 DNS Lookup Limit
The SPF specification (RFC 7208 Section 4.6.4) limits you to 10 DNS lookups during SPF evaluation. Each include, a, mx, and redirect mechanism triggers a lookup. If your record requires more than 10 lookups (including nested lookups inside includes), the evaluation stops and returns PermError.
Example of a record that exceeds the limit:
v=spf1 include:_spf.google.com include:spf.protection.outlook.com include:sendgrid.net include:servers.mcsv.net include:mail.zendesk.com include:spf.brevo.com ~all
Even though you see six includes, the total lookup count might be 15 or more because each include can contain nested lookups. See SPF 10 DNS Lookup Limit and SPF flattening for solutions.
3. Syntax Errors in the SPF Record
A malformed SPF record cannot be parsed and triggers PermError. Common syntax mistakes include:
- Misspelled mechanisms:
incldue:instead ofinclude:, oriclude:instead ofinclude: - Missing colons:
include_spf.google.cominstead ofinclude:_spf.google.com - Invalid characters: Extra spaces, tabs, or special characters that do not belong
- Wrong mechanism names: Using
allow:orpermit:instead of valid SPF mechanisms - Missing the
v=spf1prefix: The record must start with exactlyv=spf1
If you are not sure whether your record has syntax issues, SPF Creator can generate a properly formatted record based on your email services.
4. Circular Includes
If your SPF record includes a domain whose SPF record includes yours back, this creates an infinite loop. The evaluating server detects this and returns PermError.
Example:
domain-a.comSPF:v=spf1 include:domain-b.com ~alldomain-b.comSPF:v=spf1 include:domain-a.com ~all
This is rare with third-party services, but it can happen when companies manage SPF across multiple domains they own.
5. Too Many Void Lookups
A "void lookup" happens when a DNS lookup in your SPF record returns no result — either because the domain does not exist or because it has no matching DNS records. The SPF specification (RFC 7208 Section 11.1) limits void lookups to two. Exceeding this returns PermError.
Common causes:
- An include domain that no longer exists (maybe a service you cancelled)
- A typo in an include domain name
- Using
a:subdomain.example.comwhere that subdomain has no A record
How to Fix SPF PermError
Check for multiple SPF records
Use the checker tool above to see if your domain has more than one SPF record. If it does, combine them into a single record that includes all your authorized senders. Delete the extra records.
Count your DNS lookups
The checker tool shows your total lookup count. If you are over 10, you need to reduce lookups. Options include removing services you no longer use, replacing include statements with ip4 or ip6 mechanisms (which do not count as lookups), or using SPF flattening.
Check for syntax errors
Review your SPF record character by character. Make sure every mechanism is spelled correctly, colons are in the right places, and there are no stray characters. The checker tool flags specific syntax errors.
Verify all include domains exist
For each include: in your record, confirm the target domain exists and has a valid SPF record. Remove includes for services you no longer use.
Check for circular references
If you include your own domains, make sure none of them include you back. Trace the include chain to confirm there are no loops.
Save and verify
After making changes, save the updated DNS record and wait for propagation (typically 1-4 hours). Then re-check with the tool above to confirm the PermError is resolved.
Impact on Email Delivery
PermError does not just affect the emails that fail — it affects your domain's reputation over time. Here is how it compares to other SPF results:
| SPF Result | Meaning | Impact |
|---|---|---|
| SPF Pass | Email authenticated successfully | Positive signal for delivery |
| SPF SoftFail | IP not authorized, but not definitive | Email may be accepted with suspicion |
| SPF Fail (HardFail) | IP explicitly not authorized | Email likely rejected or sent to spam |
| SPF PermError | Record is broken, cannot be evaluated | Treated like a fail — email rejected or sent to spam |
The takeaway: PermError is effectively as bad as a hard fail, but it is entirely preventable. A hard fail might be intentional — a PermError is always a configuration mistake.
Preventing Future PermErrors
Validate before saving. Before publishing any SPF record change, check it with the tool above to confirm correct syntax and lookup count.
Document your includes. Keep a record of what each include is for. When you stop using a service, remove its include.
Monitor continuously. SPF records can break when a provider changes their include domains or when someone on your team makes a DNS change. The Email Deliverability Suite watches your SPF, DKIM, and DMARC records daily and alerts you when something breaks.
References
- RFC 7208: Sender Policy Framework (SPF) — The current SPF specification
- RFC 7208 Section 3.4: Record Lookup — Only one SPF record per domain is allowed
- RFC 7208 Section 4.6.4: DNS Lookup Limits — The 10 DNS lookup limit
- RFC 7208 Section 11.1: Processing Limits — The 2 void lookup limit
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring