SPF Permerror: Too Many DNS Lookups

What SPF permerror means

SPF permerror is a permanent SPF evaluation error. It means the receiving server encountered an invalid or unevaluable SPF policy and could not complete SPF validation.

Unlike a temporary DNS failure, permerror indicates a configuration problem on the sender's side. The RFC that defines SPF specifies a maximum number of DNS lookups allowed during evaluation. When that limit is exceeded, the receiving server must return permerror.

When SPF returns permerror, SPF authentication fails entirely. This can affect DMARC alignment and increase the likelihood of spam placement or rejection.

The SPF 10 DNS lookup limit

SPF allows a maximum of 10 DNS lookups during evaluation. The terms that count toward this limit are include, a, mx, exists, and ptr mechanisms, plus the redirect= modifier.

Nested includes count too. When an include points to an external domain, all mechanisms inside that domain's SPF record also count toward your 10 lookup budget.

Modern email setups commonly use multiple providers — for example Google Workspace, Microsoft 365, SendGrid, Mailchimp, and HubSpot — each contributing several lookups through their include mechanisms. Adding providers without auditing the total count quickly pushes records over the limit.

What causes too many DNS lookups

The most common causes of exceeding the SPF lookup limit are:

Chaining many email service providers. Each provider typically uses one or more include mechanisms, and their records may contain nested includes.

Marketing and CRM platforms. Services like Mailchimp, HubSpot, and Salesforce each add include statements that may trigger multiple lookups.

Old unused includes. When you migrate away from a provider, the old include often remains in the SPF record.

Duplicated SPF fragments. Some records accidentally include the same provider twice through different paths.

Excessive complexity. Records that evolved over years without cleanup often contain obsolete or redundant entries.

How to count SPF DNS lookups

Manually counting SPF lookups is difficult. Nested includes expand recursively, and some mechanisms trigger multiple lookups internally.

A lookup counter needs to recursively resolve every include, a, mx, exists, ptr, and the redirect= modifier in your record and all records they reference.

An online SPF checker is the most reliable way to measure the actual lookup count. Use MXFend's SPF Checker to detect excessive DNS lookups and permerror conditions in your SPF record.

How to fix SPF permerror

Start by auditing which services actually need to send email on your domain's behalf. Remove include statements for providers you no longer use.

Consolidate where possible. If two providers share a sending range, check whether a single include covers both.

Avoid duplicate includes. Two paths that eventually include the same provider both count toward the limit.

Consider SPF flattening for records that legitimately need many providers. Flattening replaces include mechanisms with explicit IP addresses, which do not count as DNS lookups.

Monitor lookup count after every change. Adding a new provider without auditing can push you back over the limit.

SPF flattening explained

SPF flattening replaces include mechanisms with the raw IP addresses those includes resolve to. For example, instead of include:_spf.google.com, a flattened record lists the actual Google Workspace sending IPs as ip4: entries.

Flattened records have few or no DNS lookups and cannot exceed the 10 lookup limit. However, they come with a significant maintenance burden: when a provider changes their sending IPs, your flattened record becomes stale and SPF may fail for legitimate senders.

If you use SPF flattening, automate the process and monitor it regularly. Manual flattening without ongoing maintenance is risky.

Can SPF permerror break DMARC?

Yes. DMARC passes when at least one of SPF or DKIM passes with alignment. If SPF returns permerror, SPF cannot satisfy the alignment requirement, so DMARC must rely entirely on DKIM.

If DKIM is correctly configured and passes with alignment, DMARC can still pass even when SPF returns permerror. This is why configuring DKIM alongside SPF is important: it provides a fallback for DMARC alignment when SPF fails or breaks during forwarding.

Domains that rely solely on SPF for DMARC alignment are vulnerable to permerror causing DMARC failures.

How to check SPF permerror

Use MXFend's SPF Checker to analyse your SPF record. The checker detects permerror conditions, counts DNS lookups, identifies dangerous all mechanisms such as +all, flags duplicate SPF records, and reports invalid syntax.

Run the MXFend Email Security Score for a complete audit covering SPF, DMARC, DKIM, blacklists, SMTP TLS, and more.

Best practices for SPF maintenance

Audit your SPF record periodically, not only when problems occur. Remove any senders you no longer use.

After migrating to a new email provider, remove the old provider's include immediately.

Monitor your SPF record after adding new services. A single new include with nested lookups can push you over the limit.

Combine SPF with DKIM and DMARC. This ensures email authentication remains robust even if SPF runs into lookup limit issues.

Keep SPF records as simple as possible. Complexity is the primary source of permerror and maintenance problems.