The error message PermError SPF Permanent Error: Void lookup limit of 2 exceeded occurs when your SPF record triggers excessive DNS lookups that return NXDOMAIN (non-existent domain) responses. While the SPF specification allows up to 10 total DNS lookups, there's a stricter sub-limit of just 2 for void/empty lookups.
# Example problematic SPF record structure
v=spf1 include:non-existent-domain.com include:another-fake-domain.com -all
In your provided SPF record, the likely culprits are:
include:_spf.zdsys.com- This subdomain appears non-standardinclude:spf.mail.intercom.io- Verify this endpoint exists
For organizations using multiple email services, consider these approaches:
# Recommended structure for multi-vendor email systems
v=spf1 ip4:192.0.2.1 ip4:198.51.100.1
include:spf.protection.outlook.com
include:_spf.google.com
-all
Use these commands to test your SPF configuration:
# Dig command to check DNS records
dig TXT example.com +short
# SPF validation via command line
nslookup -q=TXT example.com
For enterprise environments with numerous IPs:
# Before flattening
v=spf1 include:service1.com include:service2.com include:service3.com -all
# After flattening
v=spf1 ip4:192.0.2.1 ip4:192.0.2.2 ip4:198.51.100.1 ip4:198.51.100.2 -all
Implement automated SPF flattening tools if you frequently modify your email infrastructure.
- Never chain more than 10 includes total
- Regularly audit third-party services in your SPF record
- Remember that SPF macros still count toward lookup limits
When configuring SPF records for email authentication, you might encounter this specific error indicating excessive DNS lookups during SPF validation. The void lookup limit refers to the maximum number of DNS queries that return NXDOMAIN (non-existent domain) responses during SPF evaluation.
The error occurs when your SPF record contains multiple include mechanisms that trigger DNS lookups for non-existent domains. The SPF specification (RFC 7208) states:
SPF implementations MUST limit the total number of those terms
to 10 per SPF check, regardless of nesting.
Additionally, implementations MAY limit the number of "void lookups" (NXDOMAIN).The current record:
v=spf1 a mx ip4:IP1 ip4:IP2 ip6:IP3
include:spf-a.outlook.com
include:spf-b.outlook.com
include:spf-c.outlook.com
include:spf.messaging.microsoft.com
include:_spf.zdsys.com
include:spf.mail.intercom.io -allTo identify which includes are causing void lookups, use dig commands:
dig TXT spf-a.outlook.com
dig TXT spf-b.outlook.com
dig TXT non.existent.example.com # Example of void lookup1. Consolidate Microsoft includes: Microsoft provides a single include that covers all their services:
include:spf.protection.outlook.com2. Replace IP-based mechanisms with explicit CIDR ranges when possible
3. Verify third-party services:
nslookup -type=TXT _spf.zdsys.com
nslookup -type=TXT spf.mail.intercom.ioAfter optimizations, your record should resemble:
v=spf1 ip4:IP1 ip4:IP2 ip6:IP3
include:spf.protection.outlook.com
include:_spf.validated.zdsys.com
include:valid.intercom.io -allDifferent SPF validators may report varying results due to:
- Different DNS resolver configurations
- Varying interpretations of the RFC
- Testing methodology differences
Recommended validation sequence:
1. dig TXT yourdomain.com
2. nslookup -type=TXT yourdomain.com
3. Use multiple online validatorsTo prevent similar issues:
- Maintain <10 DNS lookups total
- Keep void lookups <2
- Use
ip4/ip6instead ofa/mxwhen possible - Regularly audit third-party includes