Common SPF Errors and How to Fix Them
Diagnose and fix SPF errors including permerror, softfail, temperror, too many lookups, multiple SPF records, and dangerous +all configurations.
SPF errors are frustrating because they're invisible until your email starts landing in spam or getting rejected. You don't get a dashboard alert. You don't get an error page. Your emails just quietly stop arriving.
This guide covers every common SPF error, what causes it, and exactly how to fix it.
SPF Error Types at a Glance
| Error | Severity | Common Cause | Impact |
|---|---|---|---|
| Permerror | Critical | Syntax error or too many lookups | SPF completely broken — all checks fail |
| Fail (-all) | Expected | Unauthorized IP hit -all | Message rejected or sent to spam |
| Softfail (~all) | Moderate | Unauthorized IP hit ~all | Message flagged but usually delivered |
| Temperror | Temporary | DNS timeout or server issue | Message deferred, retried later |
| None | Low | No SPF record published | No SPF evaluation possible |
Permerror: Too Many DNS Lookups
This is the most common critical SPF error. RFC 7208 limits SPF evaluation to 10 DNS lookups. Exceed this limit and the entire SPF check returns permerror — meaning SPF is completely broken for your domain.
What Counts as a Lookup
include:— 1 lookup per include, plus any nested lookupsa— 1 lookupmx— 1 lookup for MX records, plus lookups to resolve each hostnameexists:— 1 lookupredirect=— 1 lookup
What Doesn't Count
ip4:— No lookup (direct IP comparison)ip6:— No lookup (direct IP comparison)all— No lookup (matches everything)
How to Fix It
Count your current lookups
Use an SPF lookup tool to check your total DNS lookup count. Remember that nested includes count — Google's _spf.google.com alone uses 2-3 lookups.
Replace mechanisms with ip4/ip6 where possible
If you know the exact IPs of a sending service, use ip4: instead of include:. IP mechanisms don't count toward the 10-lookup limit.
Remove unused includes
Audit your sending sources. If you stopped using a service months ago but left its include in your SPF record, remove it.
Consider SPF flattening
Flattening resolves includes into their underlying IP addresses. This reduces lookups but requires ongoing maintenance since provider IPs can change.
Move services to subdomains
Instead of sending all email from example.com, use marketing.example.com for marketing email and support.example.com for helpdesk email. Each subdomain gets its own SPF record with its own 10-lookup budget.
A permerror doesn't just mean SPF fails for one message — it means SPF is broken for every single email sent from your domain. Fix this immediately if you see it.
Permerror: Syntax Errors
A malformed SPF record produces a permerror. Here are the most common syntax mistakes:
Missing v=spf1 Prefix
# WRONG
include:_spf.google.com -all
# CORRECT
v=spf1 include:_spf.google.com -all
Without v=spf1, the TXT record isn't recognized as SPF.
Typos in Mechanism Names
# WRONG
v=spf1 inclue:_spf.google.com -all
# CORRECT
v=spf1 include:_spf.google.com -all
SPF parsers are strict. A misspelled mechanism is treated as an unknown term and causes a permerror.
Extra Spaces or Characters
# WRONG (extra space after v=spf1)
v=spf1 include:_spf.google.com -all
# WRONG (semicolons instead of spaces)
v=spf1;include:_spf.google.com;-all
# CORRECT
v=spf1 include:_spf.google.com -all
Mechanisms are separated by single spaces. No semicolons, no commas, no extra whitespace.
Invalid IP Addresses
# WRONG (invalid CIDR)
v=spf1 ip4:203.0.113.0/33 -all
# WRONG (incomplete IP)
v=spf1 ip4:203.0.113 -all
# CORRECT
v=spf1 ip4:203.0.113.0/24 -all
Catch SPF errors before they cause problems
Monitor your SPF, DKIM, DMARC, and MX records daily. Get alerted when something breaks.
Multiple SPF Records
A domain can only have one SPF record (one TXT record starting with v=spf1). If you have two, the SPF check returns permerror.
This usually happens when different team members or departments add their own SPF records without checking what already exists:
# WRONG: Two separate TXT records
v=spf1 include:_spf.google.com -all
v=spf1 include:sendgrid.net -all
How to Fix It
Combine them into a single record:
# CORRECT: One record with both includes
v=spf1 include:_spf.google.com include:sendgrid.net -all
Your domain can have multiple TXT records for different purposes (SPF, DMARC verification, domain ownership). The rule is that only one TXT record can start with v=spf1.
Softfail vs Fail
These aren't errors exactly — they're SPF results. But they cause confusion, so let's clarify.
Fail (-all)
When a message fails SPF with -all, the receiving server gets a hard fail result. This means the domain explicitly says this IP is not authorized. Most receiving servers will reject the message or send it to spam.
# Produces fail for unauthorized IPs
v=spf1 include:_spf.google.com -all
When you see unexpected fails: You have a legitimate sending source that isn't in your SPF record. Check the Authentication-Results header of a failed message to see which IP was checked, then add it to your record.
Softfail (~all)
When a message softfails with ~all, the domain says this IP is "probably not authorized." Receiving servers typically accept the message but may flag it or increase its spam score.
# Produces softfail for unauthorized IPs
v=spf1 include:_spf.google.com ~all
When softfail causes problems: With DMARC set to p=reject or p=quarantine, a softfail is treated the same as a fail for DMARC purposes. So even with ~all, your email can be rejected if DMARC is strict and DKIM also fails.
Which Should You Use?
| Scenario | Recommended | Why |
|---|---|---|
| Initial SPF setup | ~all (softfail) | Lets you identify missing sources without blocking email |
| Established domain, all sources known | -all (fail) | Maximum protection against spoofing |
| Domain doesn't send email | -all (fail) | Block all unauthorized sending |
| Testing phase | ~all (softfail) | Monitor results before enforcing |
Temperror: DNS Failures
A temperror occurs when the receiving server can't complete the DNS lookups needed for SPF evaluation. This is usually caused by:
- DNS server timeout — The authoritative DNS server for your domain (or an included domain) didn't respond in time
- DNS server overload — Too many queries hitting the DNS server
- Network issues — Connectivity problems between the receiving server and DNS
How Receiving Servers Handle Temperror
Most servers will defer the message and retry later. Some will accept the message provisionally. A few strict servers may reject it.
How to Fix It
- Check your DNS provider's status page — Outages happen
- Reduce nested includes — Fewer DNS queries means fewer chances for timeout
- Use a reliable DNS provider — If temperrors are frequent, your DNS hosting may not be robust enough
- Monitor your DNS response times — Slow DNS responses increase temperror rates
Temperrors are almost always transient. If you see occasional temperrors in DMARC reports, don't panic. If they're persistent, investigate your DNS infrastructure.
Void Lookups
RFC 7208 introduced a limit on "void lookups" — DNS queries that return an empty response (NXDOMAIN or no records). The limit is 2 void lookups per SPF evaluation.
This happens when:
- An
includereferences a domain that doesn't have an SPF record - An
aormxmechanism references a domain that doesn't exist - A
redirectpoints to a non-existent domain
If you exceed 2 void lookups, the result is permerror.
How to Fix It
Remove any mechanisms that reference non-existent domains. If you have include:old-service.example.com and that domain no longer publishes an SPF record, delete the include.
Missing all Mechanism
If your SPF record doesn't end with an all mechanism, IPs that don't match any mechanism get a neutral result. This is essentially the same as not having SPF at all for those IPs.
# WRONG: No all mechanism
v=spf1 include:_spf.google.com
# CORRECT: Ends with -all
v=spf1 include:_spf.google.com -all
Always terminate your SPF record with -all or ~all.
The +all Danger
Using +all (or just all without a qualifier, since + is the default) tells every receiving server that every IP address in the world is authorized to send email as your domain.
# EXTREMELY DANGEROUS
v=spf1 +all
# ALSO DANGEROUS (+ is the implicit default)
v=spf1 include:_spf.google.com all
This is worse than having no SPF record. Without an SPF record, receivers know you haven't configured authentication. With +all, you're actively declaring that spoofed email is authorized.
If you discover +all in your SPF record, change it immediately to -all or ~all. There is no legitimate reason to use +all. Ever.
SPF Record Too Long
DNS TXT records have a 255-character limit per string. SPF records longer than 255 characters need to be split into multiple strings within a single TXT record. Most DNS providers handle this automatically, but some don't.
# Single string (under 255 chars) - no issue
"v=spf1 include:_spf.google.com include:sendgrid.net -all"
# Multiple strings (auto-concatenated by DNS)
"v=spf1 include:_spf.google.com include:sendgrid.net " "include:spf.mandrillapp.com include:mail.zendesk.com -all"
The hard limit for the entire SPF record (all strings combined) is 450 characters in practice, though the spec allows more. If you're hitting this limit, you have too many mechanisms and should use subdomains or SPF flattening.
Troubleshooting Checklist
When SPF isn't working, run through this checklist:
Verify you have exactly one SPF record
Query your domain's TXT records and confirm there's only one starting with v=spf1.
Check your DNS lookup count
Use an SPF checker to count total lookups including nested includes. Must be 10 or fewer.
Confirm all sending sources are included
List every service and server that sends email as your domain. Check each one against your SPF record.
Check the Authentication-Results header
Look at the headers of a received email for spf=pass, spf=fail, etc. This tells you exactly what happened.
Verify DNS propagation
After making changes, wait for DNS propagation (can take up to 48 hours, though usually minutes) and verify with a lookup tool.
Review DMARC reports
If you have DMARC set up, aggregate reports show SPF pass/fail rates and which IPs are failing.
Related Articles
Monitor Your New SPF Record
You've created your SPF record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring