This comprehensive FAQ covers everything you need to know about SPF records, SPF PermError, DNS lookup limits, and how SPF Guru helps you fix common issues to ensure reliable email authentication and DMARC compliance.
SPF (Sender Policy Framework) is an email authentication protocol that allows domain owners to specify which mail servers are authorised to send emails on their behalf. It helps prevent spoofing and phishing.
An SPF record is a type of DNS TXT record that defines authorised mail servers for a domain. Receiving mail servers use it to validate incoming messages and reduce spam.
SPF helps prevent domain spoofing, improves email deliverability, and is required for DMARC compliance. Without a proper SPF record, your messages are more likely to be rejected or marked as spam.
A typical SPF record might look like this:
v=spf1 include:_spf.google.com include:spf.protection.outlook.com -all
The "-all" mechanism is a hard fail, meaning any server not explicitly listed in the SPF record is not authorised to send email for that domain.
The "~all" mechanism is a soft fail, which flags unauthorised messages but does not necessarily reject them outright.
You can check your SPF record using tools like SPF Guru Lookup Tool, MXToolbox, or command-line utilities like dig or nslookup.
No. A domain must only have one SPF record. Multiple SPF records will cause a PermError and invalidate SPF checks.
Common SPF mechanisms include include:, a, mx, ip4, ip6, exists, and redirect=.
You should review and update your SPF record whenever you add or remove email-sending services such as CRMs, marketing tools, or ticketing systems.
SPF PermError (Permanent Error) occurs when a domain's SPF record is invalid or exceeds the allowed DNS lookup limit, causing mail servers to fail authentication.
Common causes include multiple SPF records, exceeding the 10 DNS lookup limit, syntax errors, or referencing unavailable DNS records.
The SPF specification limits SPF processing to a maximum of 10 DNS lookups to prevent abuse and excessive resource use.
Every include:, a, mx, or exists mechanism counts as one lookup. Nested includes can quickly add up.
If your SPF record requires more than 10 lookups, mail servers will stop processing and return a PermError, causing email authentication failures.
Use an SPF checker tool like SPF Guru to expand your SPF record and count the number of DNS lookups.
Many organisations use multiple third-party services, each adding their own SPF include, which can quickly push you past the 10 lookup limit.
SPF Fail occurs when an email is sent from an unauthorised server, while SPF PermError means the SPF record itself is invalid or unresolvable.
Yes. DMARC relies on SPF or DKIM passing. If SPF fails due to a PermError, DMARC may fail and impact deliverability.
Absolutely. Many providers reject or flag emails when SPF cannot be properly evaluated, resulting in spam folder placement or outright rejection.
SPF Guru is a free, community-supported service that helps domain owners bypass the SPF lookup limit and resolve PermError issues with a simple two-record solution.
SPF Guru uses macro-based DNS responses to dynamically flatten your SPF includes, allowing unlimited lookups without violating SPF specifications.
Simply add two includes to your SPF record directly after v=spf1 :
include:i.%{ir}._d.%{d}.my.spf.guru
~include:z.%{ir}._d.%{d}.my.spf.guru
The first include is the main SPF mechanism, while the second soft-fail (~include) acts as a fallback for redundancy and stability by preventing the receiving e-mail server cycling through all 10+ records.
Yes. SPF Guru is completely free and supported by the community to help mail admins solve SPF-related issues.
SPF Guru follows best practices and never stores or processes actual email traffic — it only responds to SPF DNS queries.
Yes, but always test your configuration first. SPF Guru is widely used by organisations to maintain DMARC compliance and avoid mail rejection.
No, SPF Guru replaces them by handling the resolution dynamically, so your SPF record remains clean and manageable.
SPF Guru is built for speed, with responses optimised for real-time email verification without noticeable delays.
Support is available via GitHub issues at github.com/smck83/spf.guru/issues or by emailing [email protected].
No. SPF should be combined with DKIM and DMARC for a robust email authentication strategy.
DMARC will pass if either SPF or DKIM passes and aligns with the domain policy. Different vendors, like Microsoft are moving mail to Junk folders when either fail meaning both must pass and atleast one must align.
This comes down to personal preference, however according to the M3WAAG use "~all" incase a receiving MTA bounces a message for SPF before checking DKIM which could pass and align.
Regularly review DMARC reports to monitor SPF performance and ensure there are no misconfigurations.
SPF flattening is the process of replacing include mechanisms with direct IP addresses to reduce DNS lookups.
Unlike manual flattening, SPF Guru dynamically manages and updates IP ranges without requiring ongoing manual maintenance.
Yes. You can create specific SPF records for subdomains. You can hard code the %{d} part of the record with a domain or subdomain.
An SPF record should stay under 255 characters per DNS string, best kept no more than 500 characters so the response fits in a single UDP packet. though EDNS helps with this using TCP fallback.
No. SPF only verifies the envelope sender (the recipient will gneerally not see the envelope sender). DKIM and DMARC are needed to prevent header spoofing.
SPF validates the sending server IP, while DKIM verifies the integrity of the email content using cryptographic signatures.
Check for syntax errors, multiple records, or DNS propagation delays. A validator can help identify issues.
Use SPF Guru, MXToolbox, Google's toolbox, or command-line tools like dig and nslookup.
redirect= forwards SPF processing to another domain's SPF record.
Email forwarding often breaks SPF because the forwarding server is not authorised in the original domain's SPF record. DKIM helps mitigate this.
DMARC fails when SPF or DKIM fail or are misaligned. Check alignment and SPF syntax carefully.
SPF supports IPv6 through the ip6 mechanism, but proper configuration is critical.
Yes. Use a test subdomain or DNS sandbox environment to validate before production deployment.
Gradually update SPF records, monitor DMARC reports, and use soft-fail (~all) during transition phases.
Yes. SPF Guru is especially helpful for organisations with complex, legacy email systems that exceed lookup limits.
The quickest fix is to implement SPF Guru’s two-record solution. It takes minutes to deploy and permanently resolves lookup limit issues.
Tip: Start by running your SPF record through SPF Guru’s free tool to identify problems and get tailored setup instructions.