How to Fix SPF PermError – SPF Too Many DNS Lookups

What is SPF PermError? How to Fix SPF Too Many DNS Lookups Errors

8 Min Read
image for spf permerror

An SPF Permerror (permanent error) is a common issue that occurs during Sender Policy Framework (SPF) implementations. It happens for numerous reasons, but the most common is when there are too many SPF record lookups in a DNS. More specifically, an ‘SPF PermError’ occurs when the number of lookups exceeds the SPF 10 lookup limit, impacting email deliverability and causing mail servers to reject your messages. 

Reasons for SPF PermErrors include: 

  • Too Many DNS Lookups – SPF evaluations allow for no more than 10 DNS lookups.
  • Syntax errors – When an SPF record has invalid syntax, such as missing ‘v=spf1’.
  • Multiple SPF Records – Multiple SPF records on a single domain can result in errors.
  • Unresolvable Includes – If one of the include: mechanisms points to a domain with no SPF record or with a DNS error.
  • Circular Includes – If the SPF records include each other recursively, it can result in a PermError
  • Invalid Mechanisms – Using mechanisms incorrectly, like using ‘ip4:abc’ instead of a valid IP address.
Request a Demo

What Does ‘SPF Too Many DNS Lookups’ Mean?

If you’re getting an error that reads ‘SPF too many DNS lookups,’ it means your SPF record triggers more than 10 DNS lookups, which violates SPF specifications defined in the SPF RFC 7208. Receiving email servers will return a ‘PermError’ and will likely reject or flag your emails as suspicious at best and spam at worst. 

Since Domain-based Message Authentication, Reporting, and Conformance (DMARC) interprets an SPF PermError as a ‘fail’, email receivers may view such emails as less trustworthy. To reduce this risk, keep the DNS-querying mechanisms and modifiers in your SPF record within the limit of 10. If you’re not sure how to check how many mechanisms or modifiers are in your SPF record, EasyDMARC’s SPF record lookup tool can be used to check records for your domain.

Why Is There an SPF 10 Lookup Limit?

The SPF lookup limit of 10 is needed to protect against threats, such as DDoS Attacks (Distributed Denial of Service) and spoofing attempts. It aims to decrease the lookup count from the receiver’s side, as DNS lookups consume resources like bandwidth, CPU, and memory. Limiting lookups prevents unreasonable overloading of these resources, which makes receivers less vulnerable to bad actors.

How Do I Fix ‘SPF Too Many Lookups’?

When creating an SPF record, here are some common practices that allow you to stay within the SPF record limit of 10:

1. Remove Unnecessary ‘Include’ Statements

A DNS lookup is redirected to another domain’s SPF record to check all approved IPs using an “include” statement. Each include: counts as one DNS lookup. The SPF evaluation process stops with a PermError if the total lookup count, including all nested include: chains, exceeds 10.

One way to fix an SPF too many included lookups issue is to check each ‘includes’ statement in your SPF records to check whether they can be substituted in a way that doesn’t count against the SPF 10 lookup limit. For example, the All, IP4, and IP6 mechanisms, as well as the EXP modifier, do not perform DNS queries during SPF evaluation, making their use exempt from the SPF 10 lookup limit. Reducing includes that are not strictly necessary or ones that can be replaced with these alternative mechanisms is an effective way to avoid SPF PermErrors. 

Example

In the image below, the record is broken, and the number of total lookups and modifiers should be reduced to fix the SPF too many lookups issue.


To return the SPF record lookup correctly, you need to delete unnecessary ‘include’ statements as shown in the image below.

Using EasyDMARC’s SPF record checker tool to search for the existence of multiple SPF records in DNS is an effective way to pre-empt SPF permanent errors.

2. Use IP4 and IP6 Methods

In your SPF record, the IP4 and IP6 mechanisms are used to list a static IP set.

Example

Here’s an SPF record with include statements.

In contrast, the SPF record in the image below includes several static IP ranges. The total lookup number decreases by 3 when the include statement is replaced with IP4 mechanisms for a total of 10 SPF record lookups instead of 13.

If you have several include statements in your SPF record, this substitution will help you minimize the number of DNS lookups.

3. Remove Mechanisms Belonging to the Same Domain

This SPF record refers to both the baddomain.com and yourdomain.com domains.

The record for baddomain.com already has an include statement for yourdomain.net. As a result, the include:spf.yourdomain.net mechanism is no longer needed and should be removed.

4. Delete All PTR Mechanisms

The PTR mechanism is a type of DNS record that correlates an IP address with a domain or hostname. The SPF specification does not suggest using the PTR mechanism in the SPF record because it can result in a large number of DNS lookups.

5. Remove Any Invalid or Unused Domain References

Delete any include statements that guide the SPF check to a domain that is no longer sending emails on your behalf, such as partner or vendor domains.

You can also double-check that any domains you use in your SPF record point to an active record. Otherwise, they should be removed.

6. Use an SPF Record That Has Been Flattened

Regardless of how many improvements you made to an SPF record, you may not always be able to meet the SPF 10 record lookup limit, but a flattened record can serve as a workaround. Flattened records can also reduce the number of DNS-querying mechanisms and modifiers to just one.

Request a Demo

SPF Flattening

The advantage of using SPF flattening techniques is that you can convert a very complex SPF record with over 10 DNS lookups into an IP address list while remaining just as secure.

The disadvantage is that the flattened SPF record loses synchronization with specified IP addresses, resulting in incorrect SPF authentication results if the IP addresses change. This requires you to monitor the IP addresses and manually update your SPF records on a regular basis.

While flattened records can reduce DNS lookups, they require ongoing manual updates whenever an IP address changes. For this reason, we recommend using flattening only as a last resort.

As an alternative, EasyDMARC’s EasySPF tool dynamically manages your SPF configuration and eliminates the risk of exceeding the 10-DNS-lookup limit. With EasySPF, you only need a single include: in your SPF record. You can then add, remove, or modify authorized email-sending sources through the platform—without worrying about lookup limits or manual updates. This helps prevent SPF PermErrors while maintaining flexibility and deliverability.

How to Flatten an SPF Record

  1. Query your DNS to retrieve the IP addresses for each DNS-querying mechanism and modifier used in the record.
  2. Replace the original mechanisms and modifiers with IP addresses.
  3. The total number of DNS lookups decreases by one every time a mechanism or a modifier is replaced. When both mechanisms and modifiers are removed, the total count drops to one, as only the primary SPF record requires a DNS query.

SPF PermError is Common, but Avoidable with EasyDMARC

Addressing SPF PermError is a common aspect of maintaining email deliverability and security for your domain. By using best practices, clever implementation of mechanisms and modifiers, and being aware of your total SPF DNS lookups, you can optimize your SPF record and avoid this common error. 

For expert assistance in resolving complex SPF configurations, EasyDMARC’s experienced engineers can help streamline your email authentication process and ensure optimal deliverability. 

Start your free trial

Frequently Asked Questions

Can SPF exceed 10 lookups?

No, SPF (Sender Policy Framework) should not exceed 10 DNS lookups. This is a strict limit defined by the SPF specification (RFC 7208), and exceeding it can cause SPF failures, even if your SPF record is otherwise valid.

Why is there an SPF 10 lookup limit?

Each time an SPF record includes mechanisms like include, exists, redirect, a, mx, or ptr (discouraged),the DNS resolver may need to perform one or more DNS lookups to validate the sender. To avoid performance and security issues, the total number of DNS lookups is capped at 10.

Is it okay to have multiple SPF records?

No, it’s not okay to have multiple SPF records for the same domain.According to SPF specification RFC 7208, a domain must have only one SPF record. If a domain has more than one v=spf1 TXT record, most receiving mail servers will treat this as a PermError. SPF validation will fail and legitimate emails from your domain may be rejected or marked as spam.

If you’re using multiple email services, such as Google Workspace and SendGrid, you need to combine all of their SPF mechanisms into a single SPF record. For example, instead of creating two separate records, you merge them into one like this:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Contact Us
Profile image
Sarah Wilson
Corporate Marketing Manager
Sarah is a wordsmith turned tech enthusiast with 20 years of experience in demystifying complex concepts. Her content helps our customers become email security heroes.
Comments
guest
0 Comments
Inline Feedbacks
View all comments

succees We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.

succees You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us

In this article
Share article:

Domain Scanner

Check phishing vulnerabilities and possible issues with DMARC, SPF,DKIM, and BIMI records

More In Authentication Protocols
Fix “External Verification Failure” in EasyDMARC
3 Min Read
EasyDMARC 2025 DMARC Adoption Report
EasyDMARC 2025 DMARC Adoption Report
Download Report
New Ebook