How to fix SPF PermError: too many DNS lookups

SPF PermError DNS lookup limit

When troubleshooting email delivery issues, you might run into some cryptic SPF error on the receiving email server along the lines of:

SPF PermError: too many DNS lookups

SPF Permanent Error: too many DNS lookups

SPF Fail: too many DNS lookups

These messages indicate that the SPF record on your domain involves more than 10 DNS lookups which falls foul of the SPF 10-DNS-lookup limit imposed by the SPF specification.

When this happens, SPF returns a PermError indicative of this issue which results in SPF authentication failure. If the final outcome of email authentication is failure, the email message might not land in the inbox.

Steps to overcome the SPF PermError: too many DNS lookups issue

Follow the 3 steps below to fix this issue.

1. Go to DMARCLY's Safe SPF feature

Log in to DMARCLY's dashboard, then go to DNS Records -> Safe SPF.

2. Set up Safe SPF on your domain

Choose the domain that has an SPF record with 10+ DNS lookups. This is the domain you need to set up Safe SPF on to break free from SPF's 10-DNS-lookup limit.

Click "Set Up Safe SPF". Enter the original SPF record on the domain. Click "Generate Safe SPF Record".

Your original SPF record will be converted to a Safe SPF record, which is a completely valid SPF record that has the same IP addresses as the original one but contains much fewer DNS lookups.

Now publish the generated Safe SPF record on the domain, in the DNS. Then click "Save Safe SPF".

3. Verify that the SPF PermError is fixed

Use an online SPF record checker to check the domain, you will see that the DNS lookup count is 1, far below the 10-DNS-lookup limit. Note that DNS propagation takes a while, and if you don't see the new SPF record, retry after 5 minutes.

Now your original SPF record containing 10+ DNS lookups is turned into a Safe SPF record. This Safe SPF record contains exactly the same IP addresses as the original SPF record, while containing DNS lookups far fewer than 10. In addition, whenever any of the services used in your original SPF record changes, the Safe SPF record is updated automatically, so that they are always synchronised.

Now you will never have to worry about the dreaded SPF PermError: too many DNS lookups issue again!

Previous Post Next Post

 Protect Business Email & Improve Email Deliverability

Get a 14 day trial. No credit card required.

Create Account