SPF permerror means your SPF record has a permanent error that prevents evaluation. Common causes: exceeding 10 DNS lookups, syntax errors, multiple SPF records, or infinite loops. Fix by reducing includes, flattening the record, correcting syntax, or merging duplicate records. Use MXToolbox to diagnose the specific cause.
SPF Permerror: Causes and How to Fix It
What SPF Permerror Means
When a receiving server evaluates your SPF record and returns permerror, it means your record has a permanent structural problem. The server can't determine whether to pass or fail the sender—it just gives up.
Unlike temperror (temporary DNS issues), permerror won't fix itself. Your SPF record needs changes.
Diagnosing the Cause
Run your domain through MXToolbox SPF Record Lookup or use dig:
dig TXT yourdomain.com +short
Common permerror causes and how to identify them:
Cause 1: Too Many DNS Lookups
SPF allows maximum 10 DNS lookups. These mechanisms count:
include— 1 lookup + nested lookupsa— 1 lookupmx— 1 lookup + 1 per MX serverredirect— 1 lookupexists— 1 lookup
These don't count:
ip4/ip6— 0 lookupsall— 0 lookups
How to check: MXToolbox shows total lookups. If it says "Too many DNS lookups" or count exceeds 10, this is your problem.
Practitioner note: The lookup limit is the #1 cause of permerror I see. Agencies adding multiple ESPs don't realize that each
include:sendgrid.netcan trigger 3-4 nested lookups. You hit 10 faster than you'd expect.
Cause 2: Multiple SPF Records
You can only have one SPF record per domain. Two records starting with v=spf1 cause permerror.
Check with:
dig TXT yourdomain.com +short | grep spf1
If you see two v=spf1 records, you need to merge them.
Cause 3: Syntax Errors
Common syntax problems:
- Missing
v=spf1at the start - Spaces around colons (
include: sendgrid.netinstead ofinclude:sendgrid.net) - Typos in mechanism names (
includinstead ofinclude) - Invalid IP addresses in
ip4mechanisms
Check with: MXToolbox flags specific syntax errors.
Cause 4: Void Lookups Exceeded
SPF also has a 2 void lookup limit. A void lookup happens when a DNS query returns no records (NXDOMAIN or empty result).
Common cause: An include points to a domain that no longer exists or has no SPF record.
Cause 5: Circular References
If domain A includes domain B, and domain B includes domain A, you get an infinite loop → permerror.
This is rare but happens when people misconfigure delegation.
Fixing Each Cause
Fix for Too Many Lookups
Option 1: Remove unused includes
Audit which services actually send email. Remove includes for services you no longer use.
Option 2: Replace includes with IP addresses
If a sender uses static IPs, replace:
include:oldesp.com
with:
ip4:192.0.2.0/24
IP mechanisms don't count toward the lookup limit.
Option 3: Flatten your SPF record
SPF flattening resolves all includes to their IP addresses, eliminating nested lookups. See our SPF flattening guide.
Manual flattening example:
Before (11 lookups):
v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net ~all
After flattening (0 lookups):
v=spf1 ip4:209.85.128.0/17 ip4:74.125.0.0/16 ip4:167.89.0.0/17 ip4:198.2.128.0/24 ... ~all
Option 4: Use a subdomain
Move some senders to a subdomain with its own SPF record:
- marketing.yourdomain.com → marketing ESPs
- yourdomain.com → transactional only
Fix for Multiple SPF Records
Merge into one record:
Before (permerror):
v=spf1 include:_spf.google.com ~all
v=spf1 include:sendgrid.net ~all
After (correct):
v=spf1 include:_spf.google.com include:sendgrid.net ~all
Delete the extra TXT record in your DNS.
Fix for Syntax Errors
Missing version tag:
# Wrong
include:sendgrid.net ~all
# Correct
v=spf1 include:sendgrid.net ~all
Extra spaces:
# Wrong
v=spf1 include: sendgrid.net ~all
# Correct
v=spf1 include:sendgrid.net ~all
Typos:
# Wrong
v=spf1 includ:sendgrid.net ~all
# Correct
v=spf1 include:sendgrid.net ~all
Fix for Void Lookups
Identify which include returns no records:
dig TXT _spf.oldesp.com +short
If it returns nothing, that include is causing void lookups. Remove it or update to the correct domain.
Practitioner note: I've seen void lookup errors from ESPs that got acquired and changed their SPF domains. The old include still works for SPF pass, but triggers void lookups in the chain. Always check ESP documentation after acquisitions.
Verifying the Fix
After making changes:
- Wait for DNS propagation (15-30 minutes)
- Run MXToolbox SPF Record Lookup
- Confirm: "DNS Lookup Count: X/10" where X ≤ 10
- Confirm: No syntax errors flagged
- Send test email and check headers for
spf=pass
If you're dealing with a complex multi-sender setup causing permerror, schedule a consultation. I'll audit your SPF configuration and build a clean record that stays under the lookup limit.
Sources
- RFC 7208: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email
- RFC 7208 Section 4.6.4: DNS Lookup Limits
- MXToolbox: SPF Record Lookup
- dmarcian: SPF Surveyor
v1.0 · March 2026
Frequently Asked Questions
What does SPF permerror mean?
Permerror (permanent error) means the receiving server couldn't evaluate your SPF record due to a structural problem. Unlike temperror (temporary), permerror won't resolve on retry—the record itself needs fixing.
What causes SPF permerror?
Most common causes: exceeding 10 DNS lookups, having multiple SPF records, syntax errors (missing v=spf1, typos), void lookup limit exceeded (2 max), or circular references in includes.
How do I check my SPF lookup count?
Use MXToolbox SPF Record Lookup or dmarcian's SPF surveyor. They trace all includes and nested includes, showing the total lookup count. Each include can trigger multiple lookups.
How do I fix SPF permerror from too many lookups?
Reduce includes by removing unused senders, use ip4/ip6 instead of include for static IPs, or flatten your SPF record. Flattening replaces includes with resolved IP addresses.
Can I have multiple SPF records?
No. Multiple SPF records cause permerror. If you have two records starting with v=spf1, delete one and merge the includes into a single record.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.