How to Fix SPF PermError
A practical guide to fixing SPF PermError, including multiple SPF records, too many DNS lookups, syntax mistakes, and broken includes or redirects.
Tools For This Topic
What SPF PermError means
SPF PermError means the SPF policy is permanently invalid from the receiver's point of view. This is different from a temporary DNS issue. A PermError usually means the record itself is malformed, ambiguous, or too complex to evaluate safely.
When SPF returns PermError, the domain may lose the benefit of SPF entirely and can run into delivery or DMARC alignment problems.
First check for multiple SPF records
One of the most common causes of SPF PermError is publishing more than one SPF TXT record for the same domain. This often happens during provider migrations when old and new policies are both left in place.
The fix is to consolidate the intended authorisations into one valid SPF policy rather than leaving several separate SPF records published.
Count recursive DNS lookups
SPF evaluation has a hard limit of 10 DNS lookups. Includes, redirects, mx, a, and some other mechanisms can all contribute to that total.
If the effective policy goes beyond that limit, many receivers will return SPF PermError. This is especially common when several third-party services are authorised at once.
Look for syntax mistakes and broken mechanisms
- Missing spaces between mechanisms
- Malformed include or redirect values
- Typos in mechanism names
- Invalid qualifiers or unsupported formatting
- Broken references to domains that no longer publish valid SPF
Even a small formatting mistake can make the entire policy invalid. That is why checking the effective parse matters more than only reading the raw TXT value.
Reduce unnecessary includes
SPF records tend to accumulate old includes over time. If the domain no longer uses a marketing platform, CRM, or help desk tool, its include should usually be removed from the SPF policy.
Cleaning up old includes often solves lookup limit problems and also reduces the risk of authorising services that should no longer send on behalf of the domain.
When SPF flattening may help
If the domain genuinely needs several third-party senders and lookup count is the main issue, SPF flattening can sometimes reduce the recursive lookup burden by resolving includes into direct IP entries.
Flattening is not always the right long-term answer because provider IP ranges can change, but it can be useful when carefully maintained.
A practical SPF PermError fix workflow
- Query TXT records and confirm there is only one SPF record
- Parse the policy and follow all includes and redirects
- Count recursive DNS lookups
- Remove unused services and duplicate authorisations
- Fix syntax mistakes or broken references
- Re-test the effective policy and then verify against real message headers
Use These DNS Pro Tools
If you want to validate this topic in practice, these DNS Pro tools are the fastest next step.
Related Tools
Related Articles
How to Fix DMARC Failures
A practical guide to fixing DMARC failures, including SPF and DKIM alignment issues, missing records, third-party senders, and enforcement problems.
How to Troubleshoot SPF Failures: Complete Step-by-Step Guide
A comprehensive SPF troubleshooting guide covering missing records, multiple SPF issues, DNS lookup limits, includes, redirects, and how to fix SPF failures.
How to Check Whether an SPF Record Is Too Complex
A practical SPF troubleshooting guide covering recursive includes, DNS lookup limits, redirect behaviour, and how to simplify an overly complex SPF policy.