SPF PermError vs SPF TempError: What’s the Difference?
When your outgoing email does not return a normal pass or fail SPF, you might think that the message was simply not authenticated. But it can be a little
4 min read intermediate
Adam Lundrigan
CTO
Adam Lundrigan is the Chief Technology Officer of DuoCircle, where he leads engineering and is responsible for the architecture of AutoSPF's SPF flattening engine and DNS monitoring infrastructure. His technical focus is the DNS-level behavior of SPF evaluation, the recursive include resolution logic that underpins flattening, and the monitoring systems that keep customer SPF records healthy as their upstream vendors change IP ranges.
Credentials
- CTO of DuoCircle LLC
- Architect of AutoSPF's SPF flattening and DNS monitoring engine
- Technical lead for AutoSPF's recursive SPF evaluation logic
- Leads engineering across DuoCircle's product portfolio
Areas of Expertise
SPF Flattening DNS Architecture Recursive Include Resolution SaaS Engineering DNS Monitoring Infrastructure Automation
Articles by Adam Lundrigan (47)
How can I reduce DNS lookups reported by an SPF lookup to avoid exceeding limits?
You reduce DNS lookups in SPF by replacing lookup-heavy mechanisms (include, a, mx, ptr, exists) with explicit ip4/ip6 entries, consolidating or
12 min read foundational
How can I interpret the results from an SPF record checker if I see multiple include mechanisms?
If an SPF checker shows multiple include mechanisms, interpret each as a delegated check of another domain’s SPF that is evaluated left-to-right for the sa
12 min read advanced
What causes an SPF validator to report lookup limit or mechanism count issues?
An SPF validator reports lookup-limit or mechanism-count issues when evaluating a sender’s SPF policy would require more than 10 DNS-querying terms—specifi
13 min read intermediate
SPF Flattening for Growing Domains: Preventing SPF Failures and Lookup Errors
To prevent SPF failures and DNS lookup errors as your domain grows, you should implement automated SPF flattening that replaces include/redirect mechanisms
12 min read advanced
What are the best practices illustrated by an SPF record example to avoid DNS lookup limits?
The best practices to avoid SPF DNS lookup limits are to use only necessary lookup‑triggering mechanisms, prefer ip4/ip6 literals and CIDR ranges, apply TT
12 min read advanced
Advanced SPF Record Testing: Protect Your Domain from Permerror Issues
To protect your domain from SPF permerror issues, enforce strict syntax validation, cap DNS lookups to 10 with include minimization and judicious flattenin
13 min read advanced
When SPF Permerror Disrupts Delivery: Hidden Causes You’re Missing
SPF permerror disrupts delivery when your SPF record has syntax faults (missing v=spf1, invalid qualifiers, malformed ip4/ip6 or macros), exceeds the 10-DN
13 min read foundational
Advanced SPF Flattening Implementation for Reliable Email Authentication
To implement advanced SPF flattening for reliable email authentication, you need a resolver that recursively expands and deduplicates mechanisms while enfo
11 min read advanced
How do SPF flattening tools affect DMARC and DKIM enforcement?
SPF flattening tools improve DMARC SPF alignment reliability by reducing DNS lookup failures and timeouts but do not directly affect DKIM; when well-mainta
13 min read advanced
Why does incorrect SPF syntax cause my legitimate emails to be marked as spam?
Incorrect SPF syntax causes legitimate emails to be marked as spam because receiving mail servers strictly parse SPF TXT records, and any syntax or lookup
13 min read foundational
SPF Syntax Limits Explained: Includes, Lookups, and the 10-DNS Rule
Most SPF records do not fail because they are missing or incorrectly added. They fail because they become too complicated over time. A domain starts with o
9 min read intermediate
Why do SPF record checkers report "too many DNS lookups" and how does that affect delivery?
SPF record checkers report “too many DNS lookups” because the SPF standard (RFC 7208) limits SPF evaluation to 10 DNS-querying mechanisms (include, a, mx,
11 min read intermediate
Why does SPF flattening become necessary when a domain exceeds the DNS lookup limit?
SPF flattening becomes necessary when a domain exceeds the SPF specification’s 10-DNS-lookup limit because flattening converts lookup-driven mechanisms (in
12 min read advanced
SPF Mechanism Ordering: How Sequence Impacts Email Deliverability and DNS Lookup Limits
As per the textbook definition of an SPF record, it is essentially a list of servers authorized to send emails on your behalf. This understanding of an SPF
6 min read advanced
Why does my SPF record syntax exceed the 255-character limit and how do I fix it?
Your SPF record “exceeds 255 characters” because DNS TXT records cap each quoted character-string at 255 bytes (per RFC 1035) and long SPF policies must be
12 min read intermediate
What is SPF flattening, and why is it important?
If you only have a couple of email services, let’s say one or maybe two servers that send emails on your behalf, maintaining your SPF records is pretty str
6 min read foundational
When should I avoid SPF flattening and rely on alternative authentication strategies?
You should avoid SPF flattening whenever your sending footprint is dynamic (CDNs, cloud ESPs with fast-changing IPs), when flattening would inflate DNS bey
16 min read advanced
How can I find which sending IP produced the spf=permerror result in message headers?
To find which sending IP produced spf=permerror in message headers, locate the Authentication-Results line that reports spf=permerror, match its authserv-i
16 min read intermediate
Best practices for SPF record syntax to avoid the "permerror" from receivers?
To avoid SPF permerror with receivers, publish exactly one TXT record beginning with v=spf1 that uses only valid mechanisms/modifiers, stays within the 10-
18 min read intermediate
How can I interpret the results of an SPF record check to understand pass, fail, softfail, and permerror?
An SPF check result interprets as follows: an SPF “pass” means the sending host is authorized by the domain’s policy, a “fail” means it is explicitly unaut
20 min read intermediate
How Can I Use An SPF Lookup Tool To Count DNS Lookups And Reduce Them Under The 10-Lookup Limit?
Use an SPF lookup tool to recursively expand your SPF record, count every DNS‑querying mechanism and modifier—specifically include, a, mx, ptr, exists, and
18 min read advanced
Is There An SPF Flattener That Supports Per-Sender Rate Limiting Or Change Windows To Avoid DNS Thrashing?
Yes—“per-sender rate limiting” for SPF flattening is not a common, publicly advertised feature; a few platforms support scheduled publishing or change wind
16 min read advanced
How can I test an SPF flattener's compatibility with DMARC and DKIM?
To test an SPF flattener’s compatibility with DMARC and DKIM, first publish the flattened SPF in a non-authoritative “shadow” label, run DNS and lookup-bud
12 min read advanced
How can I safely flatten SPF records while preserving SPF validation?
You can safely flatten SPF records while preserving SPF validation by recursively expanding includes/redirects into explicit ip4/ip6 mechanisms within the
13 min read advanced
How the SPF Record Character Limit Affects Your Email Authentication
Sender Policy Framework (SPF) is a cornerstone email authentication protocol designed to combat email spoofing and enhance email security. The SPF record i
17 min read intermediate
Mastering SPF Syntax Multiple Include: Tips For Managing Complex Spf Records
Sender Policy Framework (SPF) is a critical email authentication protocol designed to prevent email spoofing by specifying which mail servers are authorize
16 min read advanced
Combine SPF Records Correctly To Avoid “Too Many DNS Lookups” Errors
A domain can only have one SPF TXT record. Multiple records cause a PermError and break authentication entirely. Learn how to correctly merge multiple SPF records into one and stay under RFC 7208's 10-DNS-lookup limit.
17 min read intermediate
Why SPF Lookup Count Matters In Avoiding Email Delivery Failures
Understanding SPF Records: A Primer The Sender Policy Framework (SPF) is a foundational component of email authentication, designed to combat email spoofin
16 min read intermediate
Understanding SPF mechanisms: a, mx, ip4, and include
SPF has 8 mechanisms defined in RFC 7208: all, include, a, mx, ptr, ip4, ip6, and exists. The four most common are ip4 (authorize a specific IP), a (authorize the domain's A record), mx (authorize the domain's MX records), and include (delegate to another SPF record). Learn the exact semantics and lookup cost of each.
6 min read foundational
SPF Syntax: Understanding SPF Records for Email Configuration
When you think about emailing, it’s easy to overlook the behind-the-scenes work that keeps those messages flowing smoothly. Yet, just like a well-tuned mac
18 min read intermediate
Flattening SPF records: Why is it worth the effort?
Maintaining an SPF record is pretty easy, given that you use only one or two email services. But that’s not always the case. For most organizations, there
5 min read advanced
SPF DNS lookup limits: exploits, mitigations, and best practices
SPF (Sender Policy Framework), one of the three email authentication protocols, enables recipient email servers to verify whether or not the email received
6 min read advanced
Free SPF Flattening Tool: Download the Best Software for Your Needs
There are several free tools available for SPF flattening, including cfspf, which is tailored for users of Cloudflare, and DMARCDuty, which provides automa
17 min read foundational
How does SPF flattening simplify DNS records?
Each SPF record should not have more than 10 DNS lookups; otherwise, validation failures are triggered. SPF records of organizations with an intricate emai
3 min read intermediate
Reducing DNS lookups using SPF flattening
In SPF, a DNS lookup is the process using which the receiving mail server fetches the SPF TXT record of the sender’s domain. This is done to verify if the
5 min read intermediate
Merging multiple SPF records into one to avoid the PermError
Having multiple SPF records for a domain results in the PermError, which indicates a fundamental problem with the configurations and violation of the SPF s
5 min read intermediate
What should you do if your SPF record has exceeded the limit of 255 characters?
If you have just started with SPF implementation for your domain, your SPF record can run into multiple technical issues since there are many limitations a
3 min read advanced
Decoding SPF mechanisms and their role in maximizing email deliverability
In today’s email ecosystem, security and deliverability must go hand-in-hand. Sender Policy Framework is the email authentication protocol that acts as a c
6 min read intermediate
The future of SPF flattening; trends and emerging practices
SPF flattening prevents your SPF record from exceeding the maximum lookup limit and becoming invalid. The process works by simplifying the SPF record, elim
4 min read advanced
Why the SPF Character Limit Exists and How Can You Stay Within It?
As per RFC 7208, all SPF records should not be more than 255 characters long. This includes the characters in the SPF record itself as well as any DNS name
3 min read intermediate
What is an SPF Record Flattener and Why Should you Consider Using it for Your Domain?
If your domain is already protected with the Sender Policy Framework (SPF) and you regularly update and monitor your SPF records, then we are sure you must
5 min read advanced
Why Sender Policy Framework (SPF) Has a Lookup Limit of 10?
SPF helps recipients’ mailboxes verify the authenticity of senders’ domains by referring to their predefined policies. To do this, the receiving server ret
3 min read intermediate
SPF Flattening vs. SPF Macros: Choosing the Right Approach for Your Organization
Email authentication standards are maturing and now, the SPF protocol also has some new elements to add to its list; we are talking about the SPF flattenin
5 min read intermediate
Solving the 'Too Many DNS Lookup' Error
An SPF record can encounter different types of errors, causing it to become invalid and incapable of offering protection against phishing and spoofing emai
6 min read advanced
A Guide to Choosing the Right SPF Flattening Tool for Your Organization
With organizations with complex email infrastructure, implementing SPF (Sender Policy Framework) is no easy feat! If you’ve ever encountered the “SPF PermE
6 min read intermediate
SPF Too Many DNS Lookups : What Does it Mean and How to Fix it
Every time you query your DNS, it costs the validator (the recipient’s email system) resources like bandwidth and CPU memory. A maximum limit of 10 DNS loo
2 min read foundational