How To Fix SPF Record: The Basics

Learn the fundamental structure of an SPF record to understand why your emails are bouncing or landing in the spam folder.

1
What is an SPF Record?
An SPF record is simply a TXT record added to your domain's DNS. It starts with v=spf1 and contains a list of IP addresses or services (like Google Workspace or Sendgrid) that are legally allowed to send emails from your domain.
2
The "All" Mechanism (~all vs -all)
Every valid SPF record must end with an "all" mechanism. This tells the receiving server what to do with emails that come from unauthorized sources.
  • ~all (Soft Fail): The recommended setting for most domains. Unauthorized emails are accepted but marked as suspicious (usually sent to Spam).
  • -all (Hard Fail): The strictest setting. Unauthorized emails are completely dropped and rejected by the receiving server.
  • +all (Pass All): Extremely dangerous. This allows ANY server in the world to spoof your domain. Never use this.

Fixing Multiple SPF Records

The single most common cause of SPF failure (PermError) is having more than one SPF TXT record on your domain.

The RFC Rule: The official protocol (RFC 7208) strictly states that a domain must have no more than one TXT record starting with v=spf1. If you have two, receivers treat it as if you have zero.
1
The Problem (Multiple Records)
Often, users will add a new SPF record for a new marketing tool (like Mailchimp) without deleting or editing their original record (like Google Workspace).
BAD CONFIGURATION:
TXT @ v=spf1 include:_spf.google.com ~all
TXT @ v=spf1 include:servers.mcsv.net ~all
2
The Solution (Merging)
To fix this, you must merge all your authorized senders into a single line, and delete the duplicate records.
GOOD CONFIGURATION (Merged):
TXT @ v=spf1 include:_spf.google.com include:servers.mcsv.net ~all

The 10-Lookup Limit (PermError)

Understanding DNS lookup limits and how to fix complex SPF configurations that exceed them.

1
What is the 10-Lookup Limit?
To prevent Denial of Service (DoS) attacks, email servers will only perform a maximum of 10 DNS lookups to evaluate your SPF record. Mechanisms that cause lookups include: include, a, mx, ptr, and exists.
2
Nested Includes (The Hidden Danger)
If you add include:_spf.google.com, that counts as 1 lookup. However, Google's record includes other records inside it, which might take up 3 or 4 lookups total. If you use many services, you will quickly hit the limit of 10.
3
How to Fix Lookup Limits
If our Live Analyzer tool shows you exceed 10 lookups, you have three options:
  • 1. Clean Up: Remove include: statements for services you no longer use.
  • 2. Remove 'mx' and 'a': Often, mx and a mechanisms are redundant if the IPs are already covered by an include. Deleting them saves lookups.
  • 3. Flattening: Use a premium SPF Flattening service that automatically resolves all nested includes into raw IP addresses (which do not count towards the DNS lookup limit).

Live SPF Analyzer

Enter your domain below to run a live, cache-bypassing DNS check to detect multiple records, syntax errors, and vulnerabilities instantly.

Raw TXT Record(s) Found:

Detected Issues:

    Recommended Fix

    Real-Time Diagnostics

    Find out exactly how to fix SPF record syntax errors instantly. Our live DNS engine bypasses cache to show you the current state of your domain.

    Merge Multiple Records

    Discover how to fix SPF record conflicts by identifying and merging multiple TXT entries into a single, RFC-compliant string.

    10-Lookup Limit Resolution

    Learn how to fix SPF record PermErrors caused by nested include: mechanisms. We help you identify redundant lookups to prevent failure.

    Stop Email Spoofing

    Master how to fix SPF record vulnerabilities by replacing dangerous, permissive tags like +all with secure ~all or -all directives.

    Deep DoH Inspection

    Our diagnostic tool performs raw DoH (DNS over HTTPS) lookups to show you exactly how to fix SPF record propagation issues accurately.

    Inbox Deliverability

    Resolve authentication failures by understanding how to fix SPF record formatting. Ensure your legitimate emails land in the inbox, not the spam folder.