How to Fix a Failing SPF Record
SPF is a small piece of text in your domain's DNS that lists every service allowed to send email as you. When it is missing or broken, Gmail, Yahoo and Microsoft treat your mail as suspicious, and a lot of it never reaches the inbox. The good news: SPF failures almost always come down to one of a handful of causes, and fixing them takes minutes once you know where to look. This guide walks you through finding your current record, spotting what is wrong, and publishing a clean one.
Step 1: Look at the record you have now
Your SPF record lives in your domain's DNS as a TXT record that starts with v=spf1. To see it, use any free SPF lookup tool, or open a terminal and run: dig TXT yourdomain.com. Look through the results for the line beginning with v=spf1.
If nothing comes back, that is your answer: you have no SPF record at all, and you can skip straight to step 3. If you see two or more lines that each start with v=spf1, that is also your answer. The SPF standard says a domain may have exactly one SPF record. Two records means receivers treat the whole thing as a permanent error, which fails every message. This happens a lot when different tools each added their own record over the years.
Step 2: Identify the common failure causes
Beyond duplicates, the usual suspects are these. First, a missing include. Every service that sends mail as your domain, your mailbox provider, your newsletter tool, your CRM, your billing system, needs to appear in the record, usually as include:servicename.com. If you added a new tool and forgot to add its include, that tool's mail fails SPF.
Second, too many DNS lookups. SPF allows at most 10 lookups per check, and every include, a, mx and redirect counts, including the ones nested inside each include. Go past 10 and receivers return a permanent error. If you are near the limit, remove includes for services you no longer use.
Third, a wrong or missing ending. Your record should end with ~all (softfail) or -all (fail). A record that ends with +all tells the world anyone may send as you, which defeats the whole point, and some graders flag a record with no all rule at all.
Step 3: Publish the corrected record at your DNS host
Write out one single record that covers every real sender. A typical example for a business on Google Workspace that also uses a newsletter tool looks like: v=spf1 include:_spf.google.com include:servers.mcsv.net ~all. Your own list of includes will differ, so check each tool's setup docs for its exact include value.
Then publish it wherever your DNS is managed, which is usually your registrar. On Porkbun: log in, open Domain Management, click DNS next to your domain, delete any existing SPF TXT records, then add one TXT record with the host left blank (or @) and your new v=spf1 line as the answer. On Cloudflare: open your site, go to the DNS tab, edit or delete the old SPF TXT records, and add one TXT record with the name @ and your record as the content. Save, and remember: one record only.
Step 4: Wait, then verify it actually passes
DNS changes usually show up within minutes but can take a few hours to spread everywhere, so do not panic if a checker still shows the old record right away.
Once it has propagated, verify two things: that exactly one v=spf1 record exists, and that a real message passes. Send an email from each sending service to a mailbox you control, open the message headers, and look for spf=pass. If you want a quick outside opinion, Sieve's free grade tool at sievemails.com/grade checks your SPF record alongside DKIM, DMARC, MX and blacklists and tells you exactly what to fix, no signup needed.
Where does your domain stand?
Grade your MX, SPF, DKIM, DMARC and blacklist status A to F in seconds. No signup needed.
Frequently asked questions
Why does having two SPF records break email?
The SPF standard allows exactly one SPF record per domain. When a receiving server finds two or more TXT records starting with v=spf1, it returns a permanent error instead of picking one, so every message fails SPF. The fix is to merge all your includes into one single record and delete the extras.
What is the SPF 10 lookup limit?
During an SPF check, receivers will perform at most 10 DNS lookups. Every include, a, mx and redirect mechanism counts toward the limit, including mechanisms nested inside your includes. If your record needs more than 10, the check returns a permanent error. Remove includes for services you no longer use to get back under the limit.
Should my SPF record end with ~all or -all?
Both are valid. ~all (softfail) asks receivers to treat non-listed senders with suspicion, while -all (fail) asks them to reject outright. ~all is the safer starting point while you confirm every legitimate sender is listed. Never use +all, which allows anyone on the internet to send as your domain.