What is SPF Permerror and How to Fix It

What is SPF Permerror?

An SPF Permerror is a permanent error in your SPF record, meaning there’s something wrong with it that stops it from working.

A Permerror result is returned by receiving mail servers when your SPF record has a critical issue that makes it impossible to evaluate, such as incorrect syntax, too many DNS lookups (over the 10-limit),or invalid mechanisms. Unlike a regular SPF “fail” (which means an email didn’t pass authentication),a Permerror indicates that the SPF record itself is broken or misconfigured. This not only affects deliverability but can also weaken your DMARC protection if SPF is the only mechanism you’re using to align your email.

Key Differences: SPF Fail Vs SPF Permerror

What Causes SPF Permerror?

An SPF Permerror can be triggered by several issues, including excessive DNS lookups, syntax errors, misconfigured records, or even overly large SPF entries. Let’s break down the most common causes:

1. SPF Syntax Errors

Incorrect formatting or invalid syntax in the SPF record can lead to a Permerror, preventing proper evaluation.

Common causes:

• Missing or misplaced characters (e.g., quotes ” or colons 
• Invalid or malformed mechanisms or qualifiers (e.g., using include_spf.example.com instead of include:spf.example.com)
• Incorrect macro definitions or unsupported macros
   

Examples:

❌ v=spf1 include_spf.example.com -all → missing colon in include

❌ v=spf1 +mx a:mail.example.com -all → + qualifier is unnecessary and often misused

2. DNS Configuration Issues

These involve problems with the DNS setup related to your SPF record.

Common issues:

• SPF record pointing to non-existent or misconfigured domains
• Missing SPF records on referenced domains
• Invalid or deprecated DNS record types (e.g., using SPF-type records instead of TXT)
   

Example:

Your domain references include:spf.partner.com, but spf.partner.com doesn’t exist or lacks a TXT record, leading to SPF evaluation failure.

3. Too Many DNS Lookups

SPF allows only 10 DNS lookups during record evaluation, as defined in RFC 7208, Section 4.6.4. This is a security measure to prevent abuse (e.g., Denial-of-Service attacks) and keep evaluations lightweight.

What counts as a lookup:

• include
• a, mx, ptr
• exists, redirect
   

Void lookups (queries that return no DNS data) are also limited to 2.

Common cause:
 

An SPF record with many include: mechanisms or nested includes that collectively exceed the 10-lookup limit.

4. Circular Includes

Circular includes occur when SPF records refer back to each other in a loop, creating infinite resolution cycles.

Example:

• Domain A: v=spf1 include:domainB.com -all
• Domain B: v=spf1 include:domainA.com -all

This circular reference causes SPF evaluation to fail, often resulting in a Permerror.

5. Invalid Mechanisms or Qualifiers

Using unrecognized or deprecated mechanisms in your SPF record can result in a Permerror.

Common mistakes:

• Typos like ip6v instead of ip6
• Unsupported mechanisms such as all:, ptr: used incorrectly
• Using + or ? qualifiers unnecessarily or incorrectly
   

Example:

❌ v=spf1 ptr:mail.example.com -all → discouraged mechanism
❌ v=spf1 ip4v:192.0.2.0/24 -all → invalid mechanism (ip4v should be ip4)

6. Oversized SPF Records

SPF records must adhere to size limitations:

• Each string in a TXT record must be ≤ 255 characters
• Total TXT record length should not exceed 512 bytes
   

Causes of oversized records:

• Too many IPs, includes, or mechanisms
• Duplicated or unnecessary entries

Example:

A record like v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.0/24 include:spf1.example.com include:spf2.example.com include:spf3.example.com include:spf4.example.com -all may exceed DNS limits or size constraints.

How SPF Lookup Overload Breaks Your Emails

When your SPF record triggers more than 10 DNS lookups, it can seriously disrupt your email delivery. Here’s what can happen:

• Delivery delays: Email servers may slow down processing while trying to evaluate your SPF record, causing delivery delays. 
• Timeout errors: Too many lookups can lead to timeouts during SPF evaluation, causing messages to fail silently or get dropped.
• Rejected emails: Some receiving servers may outright reject or flag emails with SPF Permerror to protect their infrastructure.
• DMARC fails: If your DMARC policy relies on SPF alignment, a failed SPF check can break DMARC and reduce your domain’s trustworthiness.

How to Fix SPF Permerror (Step-by-Step)

Manual Fixes

• Remove Unused include Mechanisms

Go through each include: in your SPF record and check if it’s still necessary. If it’s linked to a service you no longer use, remove it.

• Replace include with IP Addresses (if static)

If an include: just points to a static IP or small IP range, replace it directly with an ip4: or ip6: mechanism to avoid a DNS lookup.

• Eliminate PTR Mechanisms

PTR is discouraged by RFC 7208 due to performance and reliability concerns. Remove it entirely to reduce lookups and avoid errors.

• Consolidate include Domains

Some services (e.g., email platforms or providers) offer multiple SPF entries. Check their documentation, as often they provide a single consolidated include you can use instead of multiple ones.

• Use ip4 / ip6 Where Possible

If you know the IPs of your sending servers, add them directly using ip4: or ip6: instead of relying on mechanisms like MX or A that consume lookups.

Automatic Fixes

There are two ways in which you can automatically optimize SPF record. They are:

1. Automatic SPF Flattening Tools 
2. SPF Macros Optimization

We will discuss both in detail in the next section.