How to Fix SPF Records (Step-by-Step Guide)

Complete walkthrough for creating and fixing SPF records to improve email deliverability.

Published: 2026-01-21 | Updated: 2026-01-21 | Read time: 6 min

Key Takeaways

Understanding SPF

SPF (Sender Policy Framework) tells email receivers which servers are allowed to send email for your domain. A missing or broken SPF record is one of the most common reasons emails land in spam.

What You'll Learn

1. How to check your current SPF record 2. How to create an SPF record from scratch 3. How to add multiple email services 4. Common mistakes to avoid 5. How to verify your changes

Step 1: Check Your Current SPF Record

Before making changes, see what you're working with.

Quick Check with MailRisk

The fastest way is to scan your domain with MailRisk. We'll show you:

Manual Check via Terminal

``bash

macOS/Linux

dig TXT yourdomain.com | grep spf

Windows PowerShell

Resolve-DnsName -Name yourdomain.com -Type TXT | Select-String spf `

What You Might See

| Status | Example | Meaning | |--------|---------|---------| | No record | (empty) | You need to create one | | Valid | v=spf1 include:_spf.google.com -all | Good—check if complete | | Broken | v=spf1 +all` | Dangerous—anyone can send as you |

Step 2: Understand SPF Syntax

SPF records use specific syntax. Here's what each part means:

Record Structure

``dns v=spf1 [mechanisms] [all] `

Common Mechanisms

| Mechanism | Example | What It Does | |-----------|---------|--------------| | include: | include:_spf.google.com | Authorize another domain's SPF | | ip4: | ip4:192.168.1.1 | Authorize a specific IPv4 address | | ip6: | ip6:2001:db8::1 | Authorize a specific IPv6 address | | a | a | Authorize your domain's A record IP | | mx | mx | Authorize your MX servers |

The "all" Qualifier

This is the most important part—it defines what happens to unauthorized senders: | Qualifier | Meaning | Recommendation | |-----------|---------|----------------| | -all | Hard fail—reject unauthorized | Best for security | | ~all | Soft fail—mark as suspicious | Good for testing | | ?all | Neutral—no opinion | Not recommended | | +all` | Pass all—anyone can send | NEVER use this |

Step 3: Create Your SPF Record

Google Workspace Only

``dns v=spf1 include:_spf.google.com -all `

Microsoft 365 Only

`dns v=spf1 include:spf.protection.outlook.com -all `

Multiple Services (Common Setup)

If you use Google Workspace + a marketing tool like SendGrid: `dns v=spf1 include:_spf.google.com include:sendgrid.net -all `

Building Your Record

1. Start with v=spf1 2. Add include: for each email service you use 3. End with -all (or ~all while testing)

Common Include Values

| Service | Include Value | |---------|---------------| | Google Workspace | include:_spf.google.com | | Microsoft 365 | include:spf.protection.outlook.com | | SendGrid | include:sendgrid.net | | Mailgun | include:mailgun.org | | Amazon SES | include:amazonses.com | | Mailchimp | include:servers.mcsv.net | | HubSpot | include:spf.hubspot.com` |

Step 4: Add SPF to Your DNS

General Steps (All DNS Providers)

1. Log into your DNS provider (Cloudflare, GoDaddy, Namecheap, etc.) 2. Navigate to DNS settings for your domain 3. Add a new TXT record: - Name/Host: @ (or leave blank for root domain) - Type: TXT - Value: Your SPF record - TTL: 3600 (1 hour) or default

Important Rules

⚠️ Only one SPF record per domain. If you have multiple, merge them. ❌ Wrong (two records): ``dns v=spf1 include:_spf.google.com -all v=spf1 include:sendgrid.net -all ` ✅ Correct (merged): `dns v=spf1 include:_spf.google.com include:sendgrid.net -all `

DNS Lookup Limit

SPF has a limit of 10 DNS lookups. Each include: counts as 1+ lookups. If you exceed 10, SPF fails. Check your lookup count:

Step 5: Verify Your Changes

After adding your SPF record, verify it's working:

1. Wait for DNS Propagation

DNS changes typically take 15 minutes to 48 hours. Start checking after 30 minutes.

2. Scan with MailRisk

Run a fresh scan of your domain. You should see:

3. Send a Test Email

Send an email to a Gmail account and check the headers: 1. Open the email in Gmail 2. Click the three dots → "Show original" 3. Look for spf=pass

What "Pass" Looks Like

`` Authentication-Results: mx.google.com; spf=pass (google.com: domain of you@yourdomain.com designates [IP] as permitted sender) ``

Common SPF Mistakes

1. Multiple SPF Records

Problem: Having more than one SPF record causes both to fail. ✅ Fix: Merge all includes into a single record.

2. Using +all

Problem: +all means "anyone can send as my domain"—completely defeats the purpose. ✅ Fix: Always use -all (hard fail) or ~all (soft fail).

3. Exceeding 10 Lookups

Problem: More than 10 DNS lookups = SPF fails. ✅ Fix: Remove unused includes. Use IP addresses for static servers. Consider SPF flattening services.

4. Forgetting a Service

Problem: You use SendGrid for marketing but forgot to add it. ✅ Fix: Audit all services that send email for you. Add each to your SPF.

5. Typos

Problem: v=spf1 inclde:_spf.google.com -all (typo in "include") ✅ Fix: Double-check syntax. Use MailRisk to validate.

SPF FAQ

How long until SPF changes take effect?

Usually 15 minutes to 48 hours depending on TTL settings and DNS propagation.

Can I use both ip4 and include?

Yes. Example: v=spf1 ip4:192.0.2.1 include:_spf.google.com -all

What if I don't know which services send email for me?

1. Set up DMARC with p=none and a reporting address 2. Wait 2-4 weeks to collect reports 3. Reports show all IPs sending as your domain 4. Add legitimate services to SPF

Should I use -all or ~all?