Reading Time: 8 min

An SPF Permerror indicates that a permanent error was encountered while processing a domain’s SPF record. Domain owners may face an SPF permerror due to a lot of reasons such as: 

1. Invalid or incorrect SPF record 
2. Too many DNS lookups exceed the SPF lookup limit
3. Too many void lookups exceed the SPF lookup limit
4. SPF record is too long
5. More than one SPF record published for a single domain

To fix SPF Permerror domain owners need to ensure they are limiting SPF too many DNS lookups to 10. They should also maintain the optimal SPF character length. Checking their SPF record for syntax and configuration errors is a great starting point for detecting SPF errors. Once the Permerror issue is resolved, you can bypass false negatives and prevent SPF from breaking.

What is SPF Permerror?

SPF=Permerror indicates that there is a fundamental problem with the SPF record. This makes it impossible to determine if the sending server is authorized or not. SPF Permerror or SPF permanent error is encountered during the evaluation of Sender Policy Framework (SPF) records during email authentication. 

What is the difference between SPF fail and Permerror?

The difference between SPF fail and Permerror lies in the nature of the errors encountered during SPF authentication:

1. SPF Fail: When an email server checks the SPF record of a sender’s domain and determines that the sending server is not authorized to send emails on behalf of that domain, it results in an SPF fail. 
2. SPF Permerror: SPF Permerror, short for SPF permanent error, occurs when there is a fundamental problem with the SPF record that prevents it from being properly evaluated. A Permerror indicates that the SPF record cannot be processed accurately, making it impossible to determine if the sending server is authorized or not. 

What is the 10 DNS lookup limit?

The 10 DNS lookup limit is a restriction imposed on Sender Policy Framework (SPF) records which means that when an email server receives an incoming email, it can only perform up to 10 DNS lookups to retrieve SPF records associated with the sending domain.

This limitation helps prevent excessive DNS queries and potential performance issues during email delivery. If a domain’s SPF record exceeds the 10 DNS lookup limit, some email servers may treat the SPF as invalid or reject the email altogether. Therefore, it is crucial to carefully manage and optimize the number of DNS lookups within an SPF record to ensure proper email delivery and SPF validation.

Why does RFC specify this stringent SPF DNS lookup limit for domains?

While the SPF record limit can appear to be quite an unwanted SPF limitation, it isn’t necessarily so. The SPF DNS lookup limit has been put in place to block Denial-of-Service attacks (as mentioned under RFC 7208).

For example, a threat actor creates an SPF record on a fake domain with reference to a legitimate corporate domain to send emails in bulk to various receiving servers. Owing to the SPF record limit of 10 DNS lookups allowed (i.e. an ESP can query the sender’s DNS a total of 10 times per SPF check), can help mitigate Denial-of-Service attacks on the receiver’s side in these situations.

When is SPF Permerror Result Returned by ESPs?

When an email server receives a message, it checks the SPF record of the sender’s domain to verify if the server sending the email is authorized. If there is an issue with the SPF record that prevents it from being properly evaluated, a Permerror (permanent error) occurs.

Receiving servers may treat SPF Permerror differently. Some servers may consider it a soft fail, treating the email as potentially suspicious but not outright rejecting it. Other servers may treat it as a hard fail, causing the email to be rejected or flagged as spam.

It is important to fix SPF Permerrors to ensure proper email delivery and maintain email security.

What can cause SPF Permerror?

SPF Permerror can be caused by a variety of factors like SPF too many DNS lookup that exceeds the SPF limit, syntax errors, and configuration issues. Let’s explore what they are: 

Syntax Errors

Incorrect formatting or syntax within the SPF record can trigger a Permerror. Missing or misplaced characters, such as quotes or colons, can lead to parsing issues. These errors can occur due to:

1. Missing or misplaced characters, such as quotes (“), and colons (:)
2. Incorrectly formatted mechanisms or qualifiers
3. Invalid macro definitions

Examples:

Missing colons: v=spf1 include_spf.example.com -all

Misplaced qualifiers: v=spf1 +mx a:mail.example.com -all

DNS Configuration Issues

DNS configuration issues involve problems related to the Domain Name System (DNS) setup for SPF records. These issues can include:

• Incorrect or incomplete DNS configuration for the domain or its associated SPF records.
• Invalid SPF record locations, such as pointing to non-existent or incorrect DNS entries.

Incorrect or incomplete DNS configuration, invalid SPF record location, or incorrect association with the corresponding domain can lead to evaluation failures.

DNS Lookup Limits

DNS lookup limits are constraints imposed by SPF specifications to prevent excessive DNS queries during SPF evaluation. These limits include:

• A maximum of 10 DNS lookups are allowed during SPF evaluation.
• A maximum of 2 “void” lookups are allowed during SPF evaluation.

Exceeding these limits results in a Permerror.

Examples:

1. An SPF record that includes multiple include mechanisms leading to more than 10 DNS lookups.
2. Chaining too many mechanisms or modifiers that require DNS lookups.

Oversized SPF Records

Oversized SPF records occur when the size of the SPF record exceeds the limitations set by RFC. The RFC mentions a 255-character limit for SPF records. Causes of oversized SPF records include:

• Including numerous mechanisms, qualifiers, or modifiers, leading to excessive character count.
• Redundant or unnecessary entries in the SPF record, bloating its size.

Examples:

1. A single SPF record with extensive inclusion of IP addresses, networks, or third-party services.
2. Multiple redundant mechanisms or qualifiers within the SPF record can unnecessarily increase its size.

How do too many DNS lookups impact your emails?

If there are too many DNS lookups involved in the SPF record, it can have unprecedented impacts on your emails. Too many DNS lookups can cause inconsistencies in deliverability, and trigger SPF Permerror. 

1. May Cause Delivery Delays

Excessive DNS lookups can increase the time it takes to process SPF records. This can cause delays in email delivery, as the receiving server needs to wait for responses from multiple DNS servers.

2. May Lead to Timeout Errors 

DNS lookups involve communication between the receiving server and DNS servers. Too many DNS lookups increase the likelihood of timeout errors, resulting in SPF evaluation failures or prolonged delivery times.

3. May Increase Risk of SPF Permerror

If the SPF record exceeds these lookup limits, it can trigger a Permerror, indicating that the SPF record cannot be processed accurately. The email can be flagged as suspicious or potentially rejected.

4. May Result in Incomplete SPF Evaluation

If the receiving server encounters a DNS lookup limit or timeout error due to SPF too many DNS lookups, it may prematurely terminate SPF evaluation. 

Am I Exceeding SPF Too Many DNS Lookups Limit? 

If you are worried about exceeding the lookup limit for SPF, you can check your record instantly using our SPF record checker tool. The best part – it’s free! Our tool effectively summarizes everything that is wrong with your SPF record so you can troubleshoot issues faster. If you are exceeding the DNS lookup limit – it will let you know! 

How to fix SPF Permerror?

To resolve SPF Permerror ensure efficient lookup utilization through SPF flattening so that you can optimize your SPF record to stay under the 10 DNS lookup limit during checks. 

1. Fix Permerror by Manually Reducing Lookups

You can replace your SPF “include” and/or “redirect” mechanisms with IP addresses. While this will fix SPF Permerror, it’s not an ideal solution. This is because the length of your record after the long list of IPs are added, may exceed the character limit and trigger more errors. 

For instance, consider the following SPF record with multiple “include” mechanisms:

v=spf1 include:_spf.example.com include:_spf.anotherexample.com -all

To reduce DNS lookups, you can replace the “include” mechanisms with IP addresses:

v=spf1 ip4:192.0.2.1 ip4:203.0.113.5 -all

In this example, the domains _spf.example.com and _spf.anotherexample.com have been replaced with their corresponding IP addresses (192.0.2.1 and 203.0.113.5, respectively).

While this manual reduction of DNS lookups can mitigate SPF Permerror, it’s essential to consider potential limitations. One significant concern is the character limit of SPF records. Adding a long list of IP addresses may exceed this limit, leading to additional errors. Therefore, careful planning and optimization are necessary to ensure that the SPF record remains within the allowed character count.

2. Fix Permerror Using an Automatic SPF Optimization Tool

A more effective way to avoid SPF errors is to deploy an SPF flattening tool or better still – SPF Macros. A solution that encapsulates both within an automatic, hassle-free, hosted service is PowerSPF. This not only ensures that you stay within the 10 DNS lookup limit, but it also keeps you updated on any changes made by your email service providers and vendors who often add or change their IP addresses. 

What’s even better, it takes no more than a few clicks! The steps to use the tool are shown below: 

1. Sign up on PowerDMARC for free

2. Go to PowerSPF

3. Create your SPF record following the instructions provided by the tool

4. Click to enable the PowerSPF button

5. Publish the PowerSPF custom SPF record on your DNS, following which the “pending” status will convert to an “enabled” status

And you’re done! This is the quickest, easiest, and most effective way to prevent SPF permerror. 

Fix SPF Errors to Improve Your Email Deliverability

Fixing SPF errors is of utmost importance due to several reasons. It significantly impacts email deliverability as SPF errors can lead to legitimate emails being marked as spam or rejected by receiving mail servers, resulting in a decreased chance of reaching recipients’ inboxes. Moreover, SPF serves as a vital sender authentication mechanism, enabling email recipients to verify the legitimacy of the sender’s domain. 

By resolving SPF errors, you ensure that your legitimate emails are properly authenticated, reducing the risk of your domain being exploited for email spoofing or phishing attacks. Addressing SPF errors helps safeguard your brand reputation, as consistent delivery failures and spam markings can harm the perception of your brand’s trustworthiness and credibility.

*** This is a Security Bloggers Network syndicated blog from PowerDMARC authored by Maitham Al Lawati. Read the original post at: https://powerdmarc.com/spf-permerror-too-many-dns-lookups/