Blog

What Does SPF Permerror Mean? (And How to Fix It)

SPF permerror means your record has a permanent error. Learn the common causes—syntax errors, too many lookups—and fixes.

Published November 28, 2025
spf permerror dns troubleshooting email-authentication
SPF PermError troubleshooting guide

SPF permerror means your SPF record has a permanent, unrecoverable error. When mail servers encounter a permerror, they can’t evaluate your SPF record at all—it’s treated as if no SPF exists. This breaks authentication and can hurt your email deliverability.

Unlike temperror (a temporary DNS issue), permerror indicates something fundamentally wrong with your SPF configuration that won’t fix itself.

Common Causes of SPF Permerror

1. Too Many DNS Lookups

The most common cause. SPF allows a maximum of 10 DNS lookups. Exceed it, and you get permerror.

These mechanisms count toward the limit:

  • include: (each one is at least 1 lookup)
  • a:
  • mx:
  • ptr: (avoid this entirely)
  • redirect=

These don’t count:

  • ip4:
  • ip6:
  • all

Check your count. If you’re over 10, see our guide on The SPF 10 DNS Lookup Limit.

2. Syntax Errors

SPF records have strict syntax. Common mistakes:

# Wrong: spaces around equals
v=spf1 include: _spf.google.com -all

# Wrong: missing space between mechanisms  
v=spf1 include:_spf.google.cominclude:sendgrid.net -all

# Wrong: typo in mechanism
v=spf1 inlcude:_spf.google.com -all

# Correct
v=spf1 include:_spf.google.com include:sendgrid.net -all

3. Multiple SPF Records

You can only have one SPF record per domain. Two records = permerror.

dig txt yourdomain.com

If you see two lines starting with v=spf1, that’s the problem. Merge them into one record.

4. Missing Included Domain

If your SPF includes a domain that doesn’t have an SPF record, that’s a permerror:

v=spf1 include:nonexistent.example.com -all

The included domain must have a valid SPF record of its own.

5. Infinite Loop

If domain A includes domain B, and domain B includes domain A, you get a loop and permerror. This is rare but happens with complex configurations.

How to Diagnose SPF Permerror

Step 1: Check the Raw Record

dig txt yourdomain.com

Look for obvious issues:

  • Multiple v=spf1 records
  • Typos in mechanism names
  • Strange characters or formatting

Step 2: Count DNS Lookups

Manually trace each include: and count lookups, or use an online SPF checker that shows the count.

Step 3: Verify Included Domains

For each include: in your record, verify the target domain has a valid SPF:

dig txt _spf.google.com
dig txt sendgrid.net

If any return empty or invalid, that’s your problem.

Step 4: Use an SPF Validator

Online tools will parse your record and identify specific errors. They’re faster than manual debugging.

Fixing SPF Permerror

Fix for Too Many Lookups

Options:

  1. Remove unused includes (old services you don’t use)
  2. Replace includes with ip4: addresses (if IPs are stable)
  3. Use SPF flattening (resolves includes to IPs automatically)
  4. Consolidate sending services

Fix for Syntax Errors

Rebuild the record carefully:

v=spf1 [mechanisms] [all]

Each mechanism separated by a single space. No trailing spaces. No quotes around the value in DNS.

Fix for Multiple Records

Merge into one:

# Instead of two records:
v=spf1 include:_spf.google.com -all
v=spf1 include:sendgrid.net -all

# One combined record:
v=spf1 include:_spf.google.com include:sendgrid.net -all

Fix for Missing Included Domain

Either:

  • Remove the include if you don’t need it
  • Contact the service to get correct SPF include
  • Replace with direct IP addresses

Permerror vs Temperror vs Softfail

ResultMeaningAction
permerrorPermanent config errorFix your SPF record
temperrorTemporary DNS issueUsually resolves itself
softfail (~all)SPF passed but not authorizedMail delivered, marked suspicious
fail (-all)SPF check failedMail may be rejected

Permerror is a configuration problem on your end. Temperror is usually a DNS infrastructure issue that resolves automatically.

Impact on DMARC

When SPF returns permerror:

  • SPF result is “none” (not pass, not fail)
  • DMARC can’t use SPF for alignment
  • You must rely entirely on DKIM for DMARC to pass

If DKIM also fails, DMARC fails. This is why permerror is urgent to fix—it removes one of your two authentication paths.

Preventing Future Permerrors

  1. Test before publishing — Use an SPF validator before updating DNS
  2. Track your lookup count — Know your current count before adding services
  3. Document changes — Keep a record of what each include is for
  4. Monitor regularly — Verkh alerts you to SPF issues before they become permerrors

For the complete guide to SPF issues, see our SPF Troubleshooting Guide.

Verkh monitors your SPF record continuously and alerts you to permerrors and other issues before they affect delivery. Check your SPF status at verkh.io.

Related Articles

Explanation of the SPF 10 DNS lookup limit

December 2025

The SPF 10 DNS Lookup Limit Explained

SPF records are limited to 10 DNS lookups. Learn why this limit exists, how to check your lookup count, and how to fix SPF permerror when you exceed it.

Illustration of multiple SPF records on a domain

November 2025

Can I Have Two SPF Records? (No, and Here's Why)

Multiple SPF records cause authentication failures. Learn why, how to check for duplicates, and how to merge them correctly.

Common DKIM configuration errors and how to fix them

October 2025

5 Common DKIM Mistakes (And How to Fix Them)

DKIM errors cause silent authentication failures. Learn common mistakes—missing records, wrong selectors, key mismatches—and fixes.

Ready to implement this?

Verkh helps you monitor DMARC, identify issues, and reach enforcement. Start free.

Start Free