Troubleshooting

SPF PermError

SPF PermError means the receiver found a permanent policy problem that prevents reliable SPF evaluation.

Intermediate · 7 min read · Reviewed Jul 4, 2026

Quick answer

SPF PermError indicates a permanent policy error such as multiple SPF TXT records on one hostname, exceeding ten DNS lookups, invalid syntax, or circular includes. Receivers cannot produce a trustworthy pass or fail result. PermError often causes DMARC SPF alignment to fail and should be treated as a high-priority DNS fix, not a transient DNS issue.

Beginner explanation

A PermError is SPF's way of saying your policy is broken in a way that is not going to fix itself with time. Unlike a temporary DNS timeout, a PermError points to structural problems in how the record is published or designed.

Teams often discover PermError through DMARC aggregate reports or mailbox provider diagnostics long before their own users complain. The result code looks obscure, but the underlying causes are usually duplicate records or too many lookups.

Fixing PermError restores predictable authentication. Until then, receivers may ignore SPF entirely for your domain, weakening spoofing defenses.

Technical explanation

RFC 7208 defines PermError for conditions that make accurate evaluation impossible. Common triggers include more than one TXT record containing v=spf1 on the same name, malformed mechanisms, void lookups that exceed limits, and detected include loops.

PermError differs from Fail, which means evaluation completed and the sending IP is unauthorized. PermError means evaluation could not complete reliably. DMARC treats these outcomes differently; an SPF PermError typically fails alignment even if the IP would have matched part of the policy.

Remediation starts with enumerating all TXT records on the SPF hostname, counting lookups via recursive resolution, and validating syntax with a spec-compliant parser. Remove duplicate policies, fix syntax errors, then restructure includes or flatten to reduce lookup depth.

Business impact

PermError undermines trust in your entire authentication program. Security teams see elevated spoofing risk while marketing sees unexplained SPF failures on otherwise valid campaigns.

Because PermError is domain-wide, it affects multiple sending channels simultaneously, increasing incident severity and cross-team blame during outages.

Common mistakes

- Adding a second SPF TXT record instead of merging mechanisms into the existing one
- Ignoring PermError in DMARC reports because overall volume still shows some passes from other alignments
- Assuming PermError will clear after TTL expiry without editing the underlying policy flaw

How SPF Manager helps

SPF Manager detects PermError conditions proactively: duplicate v=spf1 records, lookup overages, and syntax faults. It explains which condition triggered the error in plain language and suggests ordered remediation steps.

After fixes, re-validation confirms receivers will get a definitive SPF result instead of PermError.

Recommended next step

See how this applies to your domain before you change DNS.

Analyze my domain

Related articles

Best Practices

SPF Record Validation

SPF record validation checks syntax, duplicate policies, lookup limits, and real-world resolution before you rely on a record in production.

Beginner 6 min read

Troubleshooting

SPF TempError

SPF TempError indicates a temporary DNS or evaluation problem that may resolve on retry.

Intermediate 6 min read

DNS

TXT Records for SPF

SPF policies are published as DNS TXT records at the domain or designated subdomain used in the envelope sender.

Beginner 5 min read