SPF Permerror and SPF Temperror – How To Quickly Fix Your SPF Errors

SPF permerror is a crucial and most common one among such errors.

Are you reading this because you have increased your SPF include limit?
Do you need to immediately fix all your SPF your errors automatically?
Our Auto SPF solution will resolve all your SPF problems in less than 10 minutes.

The Most Common SPF Errors

DMARC (Domain-based Message Authentication, Reporting, and Conformance) identifies and categorizes the possible SPF fails. Here are some of the SPF non-pass errors.

  • none: Unable to resolve domain name or find SPF record in the domain
  • neutral: The domain does not explicitly state that the IP address is authorized
  • fail (hard fail): The client is not allowed to use the domain
  • fail (soft fail): The host is probably not authorized
  • temperror (Temporary error): SPF encountered a transient error like DNS timeout
  • permerror (Permanent error): Inability to correctly interpret the domain’s published records.


What Is SPF PermError?

SPF permerror or ‘SPF Permanent Error’ is one of the common SPF errors that call for immediate resolution for emails to have higher deliverability. It signifies that DMARC could not correctly interpret the domain’s published records, and signals an error condition that requires immediate DNS intervention to be resolved. SPF permerror can occur because of any of the following reasons.

  • If there are multiple SPF records on one domain
  • If the SPF record has a syntax error
  • If an SPF checking process lists out more than 10 DNS lookups

The most common SPF permerror is related to the third parameter, i.e., ‘too many DNS lookups.’ Let us understand what it means.


What Is SPF Permerror – Too Many DNS Lookups?

Limiting the number of DNS lookups is one of the significant safeguards put in place with SPF to avoid timeout issues. As a rule, SPF evaluates a maximum of 10 DNS mechanism lookups in an SPF record. These mechanisms include a, mx, ptr, exists, include, and redirect. If the DNS lookups exceed 10, it raises an SPF permerror. If you encounter an SPF permerror, you would have to remove some of the current mechanisms/lookups.


spf record check


How Do You Avoid Encountering The Error Of 10 DNS Lookup Limit?

There are numerous ways to avoid SPF permerror – too many DNS lookups, as listed below.

Avoid unnecessary ‘include’ statements

The role of the include statement in an SPF record is to redirect DNS lookup to another domain’s SPF record for verifying any of their authorized IPs. The number of include statements in the original SPF record or the redirected ones should not exceed 10.

Use of ip4 and ip6 mechanisms

Replace the include statement with ip4 and ip6 mechanisms if possible. They are used to list a static IP range in the SPF record. It eliminates the necessity of an include statement that references another domain’s SPF record.

Remove mechanisms referring to the same domain

Removing mechanisms that refer to the same domain can avoid unnecessary DNS lookups.

Avoid ptr mechanisms

SPF recommendations caution against the use of the ptr mechanism in an SPF record. This DNS record links an IP address to a domain. Avoiding the ptr mechanism is better because it can result in a large number of DNS lookups.

Removal of legacy partner and vendor domains

One must remove all include statements that redirect SPF record check to vendors or partners who do not send emails on their behalf. Such removal eliminates unnecessary DNS lookups.

One should reference actively sending domains

One should ensure that the referenced domains are active ones. Otherwise, should consider removing them.

Perform SPF record checks

A robust SPF record checking tool can also help you diagnose whether your SPF record is over the 10-lookup limit.

We have seen the concept of SPF permerror and learned how to resolve the ‘too many DNS lookups’ issue. Let us now consider the difference between SPF temperror and SPF permerror.


SPF TempError vs. PermError

SPF temperror is a temporary error that usually doesn’t require much user intervention to solve. It usually goes away by itself. It can occur during the SPF verification process. An error like a DNS timeout is an example of an SPF temperror, whereas more than 10 DNS lookups can result in SPF permerror. If you don’t encounter SPF temperror from multiple mailboxes, you can conclude there are no DNS configuration problems with your domain and SPF record.

Email deliverability is crucial to maintain customer trust and business reputation. Errors in SPF authentication can fail to deliver emails, leading to business communication issues. As discussed above, SPF permerror is one of the crucial SPF errors that require immediate attention. Resolving such errors in time can help in having better SPF authentication, and resultantly better email deliverability.

Join the thousands of organizations that use DuoCircle

Find out how affordable it is for your organization today and be pleasantly surprised.

Interested in our Partner Program for MSPs and VARs? Visit Our MSP Partner Program.

Pin It on Pinterest