What Is SPF PermError? The Fatal Authentication Failure
You've set up SPF, tested it, and everything seemed fine. Then you notice that some of your legitimate emails are bouncing with an "SPF PermError." What happened?
SPF PermError (Permanent Error) is a fatal authentication failure. Unlike Fail or SoftFail (which indicate unauthorized senders), PermError means the receiving server couldn't even evaluate your SPF record because something is fundamentally wrong with it.
How Receiving Servers Handle PermError
- Most email providers (Gmail, Outlook) treat PermError as equivalent to "None" (no SPF).
- Strict corporate email systems may reject the email with a "550 Permanent SPF Error" bounce.
- Emails are more likely to go to spam (or be rejected) regardless of DKIM status.
PermError is distinct from TempError (temporary DNS error). TempError may resolve on retry; PermError will never resolve without changes to your DNS.
Cause 1: Syntax Errors in Your SPF Record
The most common cause of PermError is a simple typo in your SPF record. SPF syntax is strict; even a missing space or incorrect character invalidates the entire record.
Common Syntax Errors
- Missing v=spf1 prefix: Every SPF record must start with
v=spf1. Forgetting this or misspelling it (e.g.,v-spf1) causes PermError. - Extra spaces or missing spaces: Mechanisms must be separated by single spaces. Double spaces or missing spaces break parsing.
- Incorrect qualifier syntax:
+include:domain.com(correct) vsinclude+:domain.com(incorrect). - Missing colon after mechanisms:
include:domain.com(correct) vsinclude domain.com(incorrect). - Trailing spaces: Some DNS providers add trailing spaces to TXT records, breaking SPF.
- Unescaped semicolons or quotes: SPF records should not contain quotes inside the value (unless escaped).
Examples of Bad Syntax vs Good Syntax
# BAD (missing v=spf1)
include:_spf.google.com ~all
# BAD (space before include)
v=spf1 include:_spf.google.com ~all
# BAD (missing colon)
v=spf1 include _spf.google.com ~all
# BAD (extra space)
v=spf1 include:_spf.google.com ~all
# GOOD
v=spf1 include:_spf.google.com ~allHow to Fix
Use our SPF Checker to validate your syntax. The tool highlights exactly where the error occurs and provides corrected syntax.
Cause 2: Multiple SPF Records for the Same Domain
The SPF specification (RFC 7208) explicitly states that a domain MUST have at most one SPF record. If a domain has multiple SPF TXT records, receiving servers return PermError.
Why Multiple Records Occur
- Accidental duplicate: You or someone else added a second SPF record without deleting the first.
- DNS provider migration: After migrating DNS providers, old records weren't cleaned up.
- Subdomain confusion: You added an SPF record to the wrong domain/subdomain.
- Email provider auto-configuration: Some providers automatically add SPF records without checking for existing ones.
How to Check for Multiple Records
dig yourdomain.com TXT +short | grep "v=spf1"If this returns more than one line, you have multiple SPF records.
How to Fix
- Identify all SPF records using our SPF Checker or command-line tools.
- Determine which record is correct (or merge them if both contain valid mechanisms).
- Delete all but one SPF record from your DNS.
- If both records contain valid mechanisms that need to be combined, create a single merged record.
Cause 3: Exceeding the 10-DNS-Lookup Limit
As covered in depth in a previous article, SPF records are limited to 10 DNS lookups. This includes lookups from include, a, mx, exists, and redirect mechanisms—including nested lookups from included records.
How to Check Your Lookup Count
Use our SPF Checker—it automatically calculates total lookups, including recursion through includes.
How to Fix
- Remove unused includes
- Replace includes with ip4/ip6 ranges where possible
- Use subdomain segmentation
- Implement SPF flattening
(See "How to Solve the SPF 10 DNS Lookup Limit Error" for detailed solutions.)
Cause 4: DNS Resolution Problems
Even if your SPF record is syntactically perfect, DNS issues can cause PermError.
Sub-Cause A: Includes That Don't Resolve
If your SPF record includes another domain (e.g., include:example.com) but example.com has no SPF record or its DNS is broken, the receiving server may return PermError.
Sub-Cause B: DNS Timeouts or Truncation
Large SPF records (especially flattened ones with many ip4 mechanisms) may exceed DNS UDP packet size limits (512 bytes), causing truncation and PermError.
Sub-Cause C: DNSSEC Validation Failures
If your domain uses DNSSEC and validation fails due to misconfiguration, receiving servers may treat the SPF record as invalid.
How to Fix
- Verify all include domains have valid SPF records using our SPF Checker.
- If includes are correct but slow to resolve, consider replacing with flattened IPs.
- Check DNSSEC configuration if enabled.
Diagnostic Tools and Fixes for SPF PermError
Use this systematic approach to diagnose and fix PermError.
Step 1: Validate Syntax and Lookup Count
Use our SPF Checker. It will flag syntax errors, count lookups, and identify duplicate records.
Step 2: Check for Multiple Records
Run dig yourdomain.com TXT +short | grep "v=spf1". If multiple lines, delete duplicates.
Step 3: Verify All Includes Resolve
For each include in your record, manually query that domain's SPF record. Example: dig _spf.google.com TXT +short. Any that return empty or error indicate a problem.
Step 4: Test with a Different DNS Resolver
Your DNS provider may show correct records, but external resolvers may differ. Test using Google DNS (dig @8.8.8.8 yourdomain.com TXT) and Cloudflare DNS (dig @1.1.1.1 yourdomain.com TXT).
Step 5: Review DMARC Reports for SPF Errors
If you have DMARC configured, aggregate reports will show SPF results, including PermError rates. High PermError rates confirm the issue.