SPF PermError — permanent error
SPF PermError means receiving servers treat your SPF record as invalid — usually a syntax error, too many DNS lookups (over 10), or a malformed include chain. Receiving servers may fail SPF entirely, which hurts deliverability and DMARC alignment.
Quick fix (3 steps)
- 1
Paste your TXT record into the SPF checker and fix syntax errors (duplicate mechanisms, invalid modifiers, or missing `v=spf1`).
- 2
Count DNS lookups: each `include:`, `a`, `mx`, `ptr`, and `exists` counts toward the 10-lookup limit — remove or flatten nested includes.
- 3
End with `-all` (hard fail) once all legitimate senders are authorized; use `~all` only during migration testing.
Common questions
What causes SPF PermError?+
Common causes include more than 10 DNS lookups, recursive include loops, invalid SPF syntax, or multiple SPF TXT records on one domain.
Is PermError worse than SoftFail?+
Yes. PermError means receivers cannot evaluate SPF reliably, so mail may fail authentication checks entirely rather than soft-failing.
Should I use an SPF flattening service?+
Flattening replaces nested includes with IP lists to stay under 10 lookups. It works but requires ongoing updates when ESPs change IPs — audit includes first.