Menu
Fix deliverability Security Pricing
Theme
Deliverability

How to Fix SPF PermError

The 10-lookup limit explained, safe flattening strategies, provider consolidation tips, and how to keep your SPF record healthy long-term.

January 27, 2026

SPF PermError is one of the most common email authentication failures — and one of the most frustrating because it's often silent. Your email just goes to spam or gets rejected, with no bounce message to tell you what went wrong.

What causes SPF PermError?

The most common cause is exceeding the 10 DNS lookup limit defined in RFC 7208. Every include:, a:, mx:, ptr:, exists:, and redirect= mechanism in your SPF record costs at least one DNS lookup. Nested includes (includes within includes) count too.

A typical modern organization uses 5-10 sending services, each requiring an include:. Google Workspace alone uses 3-4 nested includes. It's easy to hit the limit without realizing it.

How to count your lookups

Start by looking at your SPF record:

v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org include:servers.mcsv.net ~all

This record has 4 direct include: mechanisms (4 lookups). But _spf.google.com itself contains more includes, adding 3-4 additional lookups. You could be at 7-8 lookups from this record alone — and adding one more service pushes you over.

Fix 1: Remove unused senders

This is always the first step. Audit each include in your SPF record:

  • Do you still use this email service?
  • Does it actually need to send email as your root domain (vs. a subdomain)?
  • Could it send from a different domain entirely?

Removing one unused include can save 1-4 lookups (depending on nesting). This is free, safe, and immediately effective.

Fix 2: Consolidate providers

If you use three transactional email services because different teams chose different tools, consider consolidating to one or two. Each provider you eliminate saves at least one lookup.

Fix 3: Use subdomains

Each subdomain gets its own SPF record with its own 10-lookup budget. Move marketing email to mail.yourdomain.com, transactional email to notify.yourdomain.com, etc. This is the cleanest long-term solution.

The tradeoff: you'll need to configure DMARC alignment for subdomains and update your From addresses.

Fix 4: SPF flattening (use with caution)

Flattening replaces include: mechanisms with the underlying ip4: and ip6: addresses. Since IP mechanisms don't require DNS lookups, this reduces your lookup count.

The risk: Email providers change their IP ranges regularly. If you flatten and don't keep the IPs updated, your SPF will silently stop authorizing legitimate mail. Only use automated flattening services that re-resolve IPs on a schedule.

Other PermError causes

  • Syntax errors: Typos in your SPF record (missing space, invalid mechanism). Use an SPF checker to validate.
  • Multiple SPF records: A domain must have exactly one SPF TXT record. Multiple records cause PermError.
  • DNS lookup timeouts: If an included domain's DNS is slow, the lookup can time out and count as a failure.
  • Infinite loops: Circular includes (A includes B, B includes A) will exhaust the lookup limit.

Prevention

The best defense against SPF PermError is ongoing monitoring:

  • Check your lookup count whenever you add a new sending service
  • Set up alerts when your count approaches 10
  • Review your SPF record quarterly — remove services you no longer use
  • Keep a documented list of what each include is for

Related tools

/tools/spf-check /tools/spf-lookup-depth /tools/spf-flattening-guide Full deliverability checkup

Related posts

SPF, DKIM, and DMARC Explained
What each email authentication protocol does, how SPF/DKIM/DMARC alignment works, and a quick setup checklist for your domain.
DMARC Rollout Playbook
A safe, step-by-step guide to rolling out DMARC from p=none to p=reject. Includes pct ramp-up schedule and monitoring at every stage.
Need help with this?
DNS Doctors offers continuous monitoring and white-glove managed DNS. Free tools to start, managed plans to keep it healthy.