How to troubleshoot SPF “permerror” or “temperror”?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You set up SPF, everything looked fine, and now you're seeing permerror or temperror in your email headers or authentication reports. These two errors mean very different things, and they need very different fixes.
Here's how to tell them apart and sort them out.
What permerror means
A permerror is a permanent failure. Something in your SPF record is broken in a way that receiving mail servers can't recover from on their own. The most common causes are:
- Too many DNS lookups. SPF allows a maximum of 10 DNS lookups during evaluation. Every
include:,a:,mx:, andredirect=in your record counts as a lookup. Add in your ESP, a CRM tool, and a helpdesk platform and you can blow past 10 fast. This is the most common permerror by a wide margin. - Multiple SPF records on the same domain. You can only have one SPF TXT record per domain. If you or a previous admin added a second one, receiving servers see both and immediately return permerror. They won't guess which one to use.
- Syntax errors. A typo in a mechanism like
iclude:instead ofinclude:, or a missing qualifier, breaks the whole record. - Circular references. If Record A includes Record B and Record B includes Record A, SPF gets stuck in a loop and fails.
What temperror means
A temperror is a temporary failure. Nothing is wrong with your SPF record itself. The receiving server tried to look up your DNS at that moment and couldn't get a response, either because your DNS provider had a brief outage, the query timed out, or there was a network hiccup along the way.
And a single temperror usually clears on its own. If you're seeing it repeatedly or across multiple receiving servers, that's a signal to check your DNS provider's uptime history.
How to troubleshoot a permerror step by step
Step 1: Look at your current SPF record. Run a lookup on your domain to pull the raw TXT record. You can use our free SPF checker or run dig TXT yourdomain.com from the command line. You're looking for a record that starts with v=spf1.
A valid record looks something like this:
v=spf1 include:mailgun.org include:_spf.google.com ip4:203.0.113.5 ~all
But if you see two separate lines both starting with v=spf1, that's your problem right there. You need to merge them into one record.
Step 2: Count your DNS lookups. Every include: triggers at least one lookup. Then each of those included records may contain their own includes, each counting against your limit. Walk the chain manually or use an SPF lookup counter tool. If your total exceeds 10, you need to flatten your record.
Flattening means replacing include: statements with the actual IP addresses they resolve to. It reduces lookups dramatically, though it does require updating your record when those third-party IP ranges change. (Not ideal, but sometimes necessary.)
Step 3: Validate the syntax. Paste your full SPF record into a validator. Look for typos in mechanism names, missing spaces between mechanisms, or invalid qualifiers. One small typo can break the whole thing.
Step 4: Check for duplicate records. Search your DNS for all TXT records on your root domain (@). If you spot two v=spf1 entries, delete one and merge the mechanisms from both into a single record.
How to troubleshoot a temperror
If the error is happening occasionally and inconsistently, wait it out. Check if your DNS provider reported any incidents around the time you saw the error. Most temperrors resolve within minutes.
If you're seeing temperrors frequently across multiple receiving domains, it's worth checking whether your DNS host has reliability issues. A slow or unreliable DNS provider can cause recurring temperrors even with a perfectly written SPF record. That's a hosting problem, not an SPF problem.
Reading the error in email headers
To confirm which error you're dealing with, check the Authentication-Results header in a received email. It'll look something like this:
spf=permerror (too many DNS lookups) smtp.mailfrom=captain@deepcurrent.io
That line tells you the result, the reason, and which address was evaluated. Our email header analyzer can parse this for you if reading raw headers feels like deciphering ancient code. (It often does.)
If you're still stuck after checking all of this, our SOS hotline is free. Paste your SPF record and the header snippet and we'll walk through it with you.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.