DomainSecurityScanner
Critical SeveritySPF

Fix: SPF PermError

Your SPF record has a permanent error that prevents it from being evaluated. This can be caused by syntax errors, exceeding the 10 DNS lookup limit, multiple SPF records, or invalid mechanisms.

Quick Fix

Fix the syntax error in your SPF record (missing spaces, invalid mechanisms, or exceeding the 10-lookup limit).

What This Error Means

A PermError is a permanent, unrecoverable failure in SPF evaluation. Unlike a TempError (which may succeed on retry), a PermError means the SPF record is fundamentally broken and cannot be processed. The receiving server treats the SPF result as a failure.

Why It Matters

With a PermError, SPF authentication fails for every single email from your domain. This means DMARC SPF alignment always fails, and your emails are far more likely to be rejected or sent to spam. It is worse than having no SPF record.

Step-by-Step Fix

1

Retrieve and inspect your SPF record

Pull your SPF record and look for obvious syntax issues.

Example
dig +short TXT yourdomain.com | grep "v=spf1"
2

Check for common syntax errors

Look for these frequent mistakes: missing space between mechanisms, invalid IP format, typos in mechanism names, missing v=spf1 prefix.

Before
v=spf1include:_spf.google.com ip4:192.168.1.0 ~all
After
v=spf1 include:_spf.google.com ip4:192.168.1.0/24 ~all
3

Fix the specific error

Address the root cause: merge duplicate records, reduce lookups below 10, fix invalid mechanisms, or correct IP notation.

Before
v=spf1 include:_spf.google.com inlcude:sendgrid.net ip4:10.0.0.1 ~all
After
v=spf1 include:_spf.google.com include:sendgrid.net ip4:10.0.0.1/32 ~all
4

Test the corrected record

Validate that the record parses without errors, then send a test email and check the Authentication-Results header for spf=pass.

Example
# Send a test email, then check the headers for:
# Authentication-Results: ... spf=pass (sender IP is ...) ...

Common Gotchas

  • A PermError can be triggered by nested issues — your record might look fine, but an included domain could have its own broken SPF record.
  • The "ptr" mechanism is deprecated and some receivers treat it as a PermError. Avoid using ptr in SPF records.
  • Some DNS providers silently truncate long TXT records, which can corrupt SPF syntax.

Verify Your Fix

After making changes, use our free scanner to verify the fix is working correctly. DNS changes can take up to 48 hours to propagate, but most propagate within minutes.

Frequently Asked Questions

What is the difference between PermError and TempError in SPF?

A PermError is permanent and means the SPF record itself is broken (syntax error, too many lookups, etc.). A TempError is transient, usually caused by DNS timeouts, and may succeed on retry. PermError always fails; TempError might succeed later.

Can a PermError be caused by an include target?

Yes. If a domain you include via the include mechanism has its own broken SPF record, the PermError propagates up to your record. Check the SPF records of all included domains.

How do I know what specifically caused the PermError?

Use an online SPF validation tool or check DMARC aggregate reports. They will typically specify whether the error is due to syntax issues, too many lookups, or a void lookup limit.

Related Issues

Too Many DNS LookupsMultiple SPF RecordsInclude Not ResolvingAll Fix Guides →