What Can Cause SPF PermError?

SPF SPF PermError

When the SPF record on a domain can't be correctly interpreted, SPF returns a PermError (permanent error). In contrast with an SPF TempError (temporary error), an SPF PermError requires a system administrator to take measures to rectify the issue.

Here is a list of causes of SPF PermError:

  • multiple SPF records are found on one domain;
  • the SPF record is syntactically incorrect;
  • the number of DNS lookups involved in a single SPF check exceeds 10;
  • the number of void lookups involved in a single SPF check exceeds 2;
  • there is an exception in redirect.

We will go through these scenarios in this article one by one.

Multiple SPF records are found on one domain

Only one SPF record can be published on a domain or a subdomain; otherwise SPF returns a PermError. Learn more here: Can I Have Multiple SPF Records on My Domain?

For example, if you publish 2 completely valid SPF records on domain.com, SPF fails with a PermError for this reason:

v=spf1 a -all
v=spf1 mx -all

The solution to this problem is to keep only one valid SPF record with all the necessary mechanisms. For example, if both the a and mx mechanisms are required, you can update the first SPF record to:

v=spf1 a mx -all

and remove the second SPF record, then the issue is fixed.

The SPF record is syntactically incorrect

Your SPF record must be syntactically correct, otherwise SPF returns a PermError.

For example, there is an invalid mechanism in the following SPF record:

v=spf1 a im -all

As no im mechanism is defined in the SPF specification, it's considered an invalid mechanism; therefore, the SPF record is syntactically incorrect.

To fix it, update im with a valid SPF mechanism or remove it altogether, depending on your actual needs.

The number of DNS lookups involved in a single SPF check exceeds 10

When SPF evaluates the SPF record on a domain, the number of mechanisms and modifiers that do DNS lookups must not exceed 10 per SPF check, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier; otherwise, SPF returns a PermError.

For example, if a domain has an SPF record like this:

v=spf1 a mx include:bluehost.com ?all

SPF can fail with a PermError, as bluehost.com already contains 13 DNS lookups and that mechanism alone violates the 10-DNS-lookup limit in SPF.

You can use DMARCLY's free SPF Record Checker to check your SPF record for this issue.

To fix it, use DMARCLY's Safe SPF.

Refer to SPF PermError: Too Many DNS Lookups for more information.

The number of void lookups involved in a single SPF check exceeds 2

During an SPF check, if it's unable to resolve the DNS host for a mechanism/modifier in the SPF record, it's called a "void lookup". These mechanisms can be the "include", "a", "mx", "ptr", and "exists" mechanisms, and the "redirect" modifier.

SPF fails with a PermError if the number of void lookups involved in a single SPF check exceeds 2.

For example, if none of badhost1, badhost2, and badhost3 exists, and you have an SPF record as shown below:

v=spf1 a:badhost1 include:badhost2 exists:badhost3 -all

SPF will fail with a PermError, as the number of void lookups in the above record is 3.

To avoid this, either publish valid SPF records on those hosts, or remove them.

There is an exception in redirect

If a "redirect" mechanism is used in an SPF record, the target name of the mechanism must have an SPF record, otherwise SPF fails with a PermError.

For example, if your SPF record looks like this:

v=spf1 redirect=_spf.example.com

And if there is no SPF record on _spf.example.com, SPF fails with a PermError.

To avoid this, make sure your redirect mechanism points to a target name with a valid SPF record on it. In the case above, publish an SPF record on _spf.example.com.

To learn more about SPF authentication results, refer to Why SPF Authentication Fails.

Previous Post Next Post

 Protect Business Email & Improve Email Deliverability

Get a 14 day trial. No credit card required.

Create Account