How does ZeroHook verify my domain security?

ZeroHook performs a tiered security audit: 6 checklist checks on Free and 35 on paid tiers, covering DMARC, SPF, DKIM, DNSSEC, MX records, SSL/TLS certificates, CAA records, BIMI, email routing, and DNS configuration.

How long does a scan take?

Most scans complete in under 30 seconds with real-time progress updates.

What is NIS2 compliance?

NIS2 is the EU's Network and Information Security Directive. Our reports help identify DNS security gaps and provide audit-ready documentation.

Back to Blog

Fix SPF Permerror (Too Many Lookups)

SPF PermError means receivers cannot evaluate your record. Too many DNS lookups is the usual cause in 2026.

ZeroHook TeamJun 23, 2026~4 min read

Your DMARC report says SPF failed. You open the TXT record. It looks fine. Gmail still folders mail. Then you run a proper SPF validation and get one word back: PermError. A 28-person marketing team in Prague stacked Mailchimp, HubSpot, Microsoft 365, Zendesk, and a legacy newsletter tool into one SPF record in 2024. Nobody removed the old ESP when they switched. The record hit 14 DNS lookups on evaluation. Receivers did not soft-fail the mail. They treated SPF as broken. DMARC failed on the SPF leg. Complaint rate looked fine. Authentication did not. SPF PermError is not a gentle warning. RFC 7208 says receivers should treat permerror as if they cannot determine authorization. Many mailbox providers effectively fail the message for authentication purposes. Your spf permerror too many lookups problem is usually self-inflicted: too many includes, nested includes, or two SPF TXT records on the same domain.

What SPF PermError Actually Means

PermError vs. SoftFail vs. Fail

pass: IP is authorized.
fail: IP is not authorized (-all matched).
softfail: weak negative (~all).
permerror: the SPF record cannot be evaluated (syntax error, too many lookups, multiple records).

PermError is worse than softfail for deliverability because receivers cannot trust any result from the record. Gmail and Microsoft often pair permerror with DMARC failure even when DKIM might still pass.

The 10 lookup limit

Each of these mechanisms triggers DNS lookups during SPF evaluation: include:, a, mx, ptr, exists. Nested includes count too. If include:esp.com expands to three more includes, that is four lookups from one line.

Hard limit: 10 per RFC 7208. Exceed it and you get permerror.

Quick reference: zerohook.org/fix/spf-permerror

How to Fix SPF PermError (Step by Step)

Confirm you have exactly one SPF TXT record on the root domain (or the subdomain that sends mail). In Cloudflare: DNS → filter TXT → search v=spf1. Two records = permerror. Merge into one line or remove the duplicate.

Paste the full record into zerohook.org/spf-checker → Validate tab. Fix syntax first: must start with v=spf1, one space between mechanisms, no duplicate v=spf1 tokens, valid modifiers only.

Count lookups. Remove dead includes first (old ESPs, retired tools, duplicate M365/Google includes). Typical lean M365 + Mailchimp example:

v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net -all

That is two includes plus the initial evaluation = 3 lookups before nested expansion. Open each included SPF in a lookup tool and count their nested includes.

If you still exceed 10: consolidate sending through fewer paths, move marketing to a dedicated subdomain with its own SPF (mail.yourdomain.com), or use SPF flattening (replaces nested includes with IP lists). Flattening needs maintenance when ESPs change IPs.

End production domains with -all after testing. Re-validate until the checker reports lookup count ≤ 10 and no permerror. Send a test to Gmail and check Authentication-Results for spf=pass.

Pro Tip

Subdomain sending is underrated. Root domain carries corporate mail. mail.yourdomain.com carries ESP campaigns with a shorter include list. Each subdomain gets its own 10-lookup budget.

Frequently Asked Questions

Does permerror always mean too many lookups?

No. Multiple SPF TXT records, syntax errors, and malformed include: targets also trigger permerror. Lookup overflow is just the most common cause on domains that accumulated ESPs for five years without cleanup.

Will Gmail accept mail with SPF permerror if DKIM passes?

Sometimes DKIM alignment can still yield DMARC pass, but you should not rely on it. Fix SPF. We've seen transactional mail on M365 pass DKIM while marketing on a broken root SPF record dragged domain reputation down over weeks.

Is SPF flattening safe for NIS2 or SOC2 audits?

Flattening is a technical workaround, not a policy. Document who maintains the flattened record and how IP changes are reviewed. Auditors prefer a clean include list with owners over a black box flattening service nobody monitors.

Key takeaways

SPF PermError means the record is invalid or unevaluable, not merely unauthorized.

Count nested includes toward the 10 lookup cap. Dead ESP includes are low-hanging fruit.

One SPF TXT per domain. Merge or delete duplicates before tuning includes.

Validate after every DNS change. Permerror can appear the day you add one more SaaS tool.

Paste your TXT record at zerohook.org/spf-checker to see lookup count and syntax errors before you publish another include that breaks production mail.

Share this analysis

Help others discover this content

About the author

ZeroHook Team

Security Analysts

The ZeroHook Team documents SPF and DKIM misconfigurations that still pass basic lookups but fail at Gmail and Microsoft 365.

Fix DNS before the next audit

Provider-specific copy-paste fixes for Cloudflare, Route53, GoDaddy, and more.

Start free scan

Product

Solutions

Resources

Company