SPF glossary

What does SPF permerror mean and how do you fix it?

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026

SPF permerror means the receiver hit a permanent error evaluating your record — it can't be interpreted, so SPF produces no verdict at all. Retrying won't help; the record itself is broken. Top causes: more than 10 DNS lookups, multiple v=spf1 records, syntax errors, or an include: pointing at a domain with no SPF record.

permerror at a glance
Tagpermerror (SPF evaluation result)
Valid valuesOne of SPF's seven results: none · neutral · pass · fail · softfail · temperror · permerror
DefaultNot something you publish — receivers compute it when the record can't be evaluated.
Where it goesAppears in Authentication-Results headers (spf=permerror) and in DMARC aggregate reports.

How permerror works

permerror is the receiver giving up: your SPF record, as published, cannot be correctly interpreted. Unlike a fail — where evaluation worked and the sender simply wasn't authorized — a permerror means evaluation itself broke. And unlike a temperror, it's deterministic: every receiver, every retry, same result, until the record is fixed.

The usual suspects, roughly in order: the record needs more than 10 DNS lookups (the most common cause by far, and the easiest to hit without noticing); the domain has two or more records starting v=spf1; a syntax error — a stray character, a bad CIDR, an en dash pasted from a formatted document; or an include:/redirect= pointing at a domain that publishes no SPF record.

The DMARC consequence is what makes it urgent: a permerror means SPF contributes no aligned pass, so your DMARC verdict rests entirely on DKIM. If a source's DKIM alignment is also missing, that mail now fails DMARC — and at p=reject, a broken SPF record can quietly turn into your own legitimate mail being blocked.

Correct record vs common mistake

Correct

v=spf1 include:_spf.google.com ip4:192.0.2.0/24 -all

One record, valid syntax, well under 10 lookups — nothing here can permerror.

Common mistake

v=spf1 ip4:192.0.2.0/24 –all

The qualifier is an en dash, not a hyphen — a classic copy-paste-from-a-formatted-document error. One wrong character permerrors the entire record.

Troubleshooting permerror

IssueLikely causeFix
spf=permerror in headers or DMARC reportsUsually the 10-lookup limit — or two v=spf1 records on the domainCount lookups with an SPF checker and confirm exactly one TXT record starts v=spf1
permerror appeared without any record changeAn included domain changed underneath you — its record was removed, or its nested lookups grewAudit the full include tree; remove or replace the broken include
Record looks fine but still permerrorsInvisible characters from copy-paste — smart quotes, en dashes, non-breaking spacesRetype the record in a plain-text editor and republish; then re-check

See this on your own domain

Enter your domain — the check runs instantly on the next page. Free, no signup.

Why it matters for MSPs

A permerror tenant looks configured in DNS — the TXT record is right there — while contributing nothing to authentication. Across 50–200 client domains, these hide among healthy ones indefinitely, because nothing alerts on them: DNS resolves, mail mostly delivers on DKIM's back, and the audit checkbox stays green. Only reading the reports finds them.

Trusted by MSPs

Palisade allowed our team to deploy DMARC on our domains in minutes instead of hours and making sure our clients are compliant with cutting edge security recommendations from Microsoft.
Alvin KalliAlvin Kalli CSIO, MSP Corp
Partner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner Logo

Enforce it — don't just monitor it

In the aggregate reports, a permerror shows up as the absence it is: no aligned SPF pass, DMARC leaning on DKIM alone. Palisade reads every client domain's reports, surfaces exactly that evidence, and advances each domain to `p=reject` only when the data says legitimate mail will survive.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Frequently asked questions

Find which of the four usual causes applies: count the record's DNS lookups (over 10 is the most common), confirm exactly one TXT record starts v=spf1, check the syntax character by character, and verify every include target actually publishes an SPF record.

No. Fail means the record evaluated correctly and the sender wasn't authorized. Permerror means the record couldn't be evaluated at all — the sender got no verdict, good or bad.

Yes, materially: SPF contributes no aligned pass, so DMARC rests entirely on DKIM. If DKIM isn't aligned for a source, that source now fails DMARC — dangerous at p=quarantine or p=reject.

Treatment varies by receiver — some penalize it, most just record it. What's certain is that SPF can't produce an aligned pass for DMARC, which is the part that matters once you enforce.

Related terms

What is SPF? Sender Policy Framework explained