Everything about DMARC, DKIM, SPF, email authentication, deliverability, anti-spoofing, anti-phishing, security, and tools.

How to fix "SPF PermError: too many DNS lookups"

When troubleshooting email delivery issues, you might run into some cryptic SPF error on the receiving email server along the lines of:

"SPF PermError: too many DNS lookups"

"SPF Permanent Error: too many DNS lookups"

"SPF Fail: too many DNS lookups"

These messages indicate that the SPF record on your domain involves more than 10 DNS lookups which falls foul of the SPF 10-DNS-lookup limit imposed by the SPF specification. When this happens, SPF returns a PermError indicative of this issue which results in SPF authentication failure. If the final outcome of email authentication is failure, the email message might not land in the inbox.

3 steps to fix the "SPF PermError: too many DNS lookups" issue

1. Go to DMARCLY's Safe SPF feature

Log in to DMARCLY's dashboard, then go to DNS Records -> Safe SPF.

2. Set up Safe SPF on your domain

Choose the domain that has an SPF record with 10+ DNS lookups. This is the domain you need to set up Safe SPF on to break free from SPF's 10-DNS-lookup limit.

Click "Set Up Safe SPF". Enter the original SPF record on the domain. Click "Generate Safe SPF Record".

Your original SPF record will be converted to a Safe SPF record, which is a completely valid SPF record that has the same IP addresses as the original one but contains much fewer DNS lookups.

Now publish the generated Safe SPF record on the domain, in the DNS. Then click "Save Safe SPF".

3. Verify that the SPF PermError is fixed

Use an online SPF record checker to check the domain, you will see that the DNS lookup count is 1, far below the 10-DNS-lookup limit. Note that DNS propagation takes a while, and if you don't see the new SPF record, retry after 5 minutes.

Now your original SPF record containing 10+ DNS lookups is turned into a Safe SPF record. This Safe SPF record contains exactly the same IP addresses as the original SPF record, while containing DNS lookups far fewer than 10. In addition, whenever any of the services used in your original SPF record changes, the Safe SPF record is updated automatically, so that they are always synchronised.

Now you will never have to worry about the dreaded "SPF PermError: too many DNS lookups" issue again!

Protect Your Business Email

Get a 14 day trial. No credit card required.

Create Account
Need to fix the "SPF PermError: too many DNS lookups" issue? Check out this post: Want to get the ultimate DMARC guide? Click the link below:
What Is DKIM Selector and How Does It Work: DKIM Selector Explained How to Add DMARC Record in cPanel: cPanel DMARC Setup Guide
Blog Comments powered by Disqus.