How to Audit and Clean Up Your SPF Record
A systematic guide to auditing your SPF record. Find unused includes, reduce lookup count, remove dead services, and keep your record healthy.
Your SPF record was probably set up correctly when someone first created it. But that was months or years ago. Since then, you've switched marketing platforms, cancelled a helpdesk tool, tried a transactional email service and moved on, maybe even changed your primary email provider. The includes from all those old services? They're likely still sitting in your SPF record, consuming DNS lookups and adding complexity for no reason.
A bloated SPF record doesn't just waste lookups -- it makes troubleshooting harder, pushes you closer to the 10 DNS lookup limit imposed by RFC 7208, and can mask real problems. This guide gives you a systematic process for auditing your SPF record and cleaning it up.
Signs Your SPF Record Needs Attention
You don't need a formal audit schedule to know when your SPF record has problems. Here are the warning signs:
- You're at or near the 10-lookup limit. If you're using 9 or 10 lookups, any new service will push you over.
- You don't recognize some of the includes. If you can't explain why every include is in your record, some of them probably shouldn't be.
- You've changed email providers in the past year. If you switched from Mailchimp to Klaviyo but both includes are still there, you have dead weight.
- Multiple people have edited your DNS over time. Each person adds what they need but rarely removes what's no longer needed.
- Your SPF record has been copy-pasted from a guide or template without adapting it to your actual sending setup.
- You're getting SPF failures you can't explain. A messy record makes it hard to diagnose what's actually going wrong.
Even if none of these apply to you, a yearly SPF audit is good practice. Email infrastructure changes, providers update their SPF records, and what worked last year might not be optimal today.
The Audit Process
Follow these steps in order. Each step builds on the previous one, so don't skip ahead.
Pull your current SPF record
Use SPF Record Check to look up your domain's current SPF record. Note the full record, every mechanism it contains, and the total DNS lookup count. Copy this information somewhere -- you'll need it as a reference throughout the audit.
List every include and what it belongs to
Go through each include mechanism in your SPF record and identify the service it authorizes. For example, include:_spf.google.com is Google Workspace, include:sendgrid.net is SendGrid, include:spf.mandrillapp.com is Mailchimp. If you don't recognize an include, search for the domain -- it usually leads to the provider's documentation.
Inventory your actual sending services
Separately from your SPF record, make a list of every service that currently sends email from your domain. Check your email provider admin panels, marketing tools, CRM, helpdesk, invoicing software, and any SaaS apps that send notifications on your behalf. This is your "should have" list.
Compare the two lists
Hold your SPF includes and your active services side by side. Look for two types of mismatches: includes in your SPF record that don't match any active service (dead includes), and active services that aren't in your SPF record (missing includes).
Remove dead includes
For each include that belongs to a service you no longer use, remove it from your SPF record. Use the free SPF record generator to rebuild your record with only the active services. This is where most of your lookup savings will come from.
Add missing includes
If you found active services that aren't in your SPF record, add their includes. These services have been sending email without SPF authorization, which means their messages may have been failing authentication.
Check IP mechanisms
Look for any ip4 or ip6 mechanisms in your record. Do you know what servers those IPs belong to? If they're from an old hosting provider or a server you've decommissioned, remove them. If they're for a current server, verify the IPs are still correct.
Review your all mechanism
Check what's at the end of your record. Best practice is -all (hard fail), which tells receivers to reject unauthorized email. If you're using ~all (soft fail) or ?all (neutral), consider upgrading to -all for better protection. The only reason to keep ~all is if you're still identifying all your sending sources and aren't ready to enforce strictly.
Publish and verify
Update your DNS TXT record with the cleaned-up SPF record. After propagation, verify with SPF Record Check that the record is valid and the lookup count is healthy.
Example: Before and After an Audit
Here's what a real audit cleanup might look like:
Before audit (9 lookups):
v=spf1 include:_spf.google.com include:spf.mandrillapp.com include:sendgrid.net include:mail.zendesk.com include:spf.freshdesk.com ~all
After investigation, you find that you switched from Zendesk to Freshdesk a year ago, and you moved from Mailchimp to an email tool that sends through SendGrid. So Zendesk and Mailchimp includes are dead weight.
After audit (5 lookups):
v=spf1 include:_spf.google.com include:sendgrid.net include:spf.freshdesk.com -all
You dropped from 9 lookups to 5, removed two dead includes, and upgraded from ~all to -all. The record is cleaner, more secure, and leaves room for future growth.
After removing includes, send test emails from every active service and check the email headers for spf=pass. This confirms you didn't accidentally remove something you still need.
Quarterly Review Checklist
Don't wait until your SPF record breaks to audit it. Set a quarterly reminder and run through this quick checklist:
| Check | How to Verify |
|---|---|
| SPF record is valid | Run domain through spfrecordcheck.com |
| Lookup count is under 10 | Check the lookup count in the report |
| Every include matches an active service | Compare includes to your current tool stack |
| No missing services | Check recently added tools for SPF requirements |
| Using -all (hard fail) | Look at the end of your SPF record |
| DKIM is configured for each sender | Check headers from each sending service |
| DMARC policy is active | Look up _dmarc.yourdomain.com |
This quarterly check takes less than 15 minutes and prevents the slow accumulation of dead includes that leads to a bloated record.
Common Mistakes During Cleanup
Removing an include you still need. Always verify that a service is truly decommissioned before removing its include. Check with your team -- someone in marketing might still be using that "old" Mailchimp account.
Forgetting about subdomains. Your root domain isn't the only one with an SPF record. If you've set up SPF on subdomains, audit those too. Use SPF Record Check to check each one.
Not updating DKIM when removing providers. If you remove a provider from SPF, also clean up its DKIM records. Old DKIM TXT records don't cause harm, but they clutter your DNS and can cause confusion during future audits.
Skipping verification after changes. Every change to your SPF record should be followed by a verification step. DNS changes can propagate inconsistently, and typos in SPF records cause failures.
Automate Your Monitoring
Manual quarterly audits catch problems, but daily automated monitoring catches them faster. Set up Deliverability Checker to monitor your SPF, DKIM, and DMARC records every day. You'll get alerts when something changes or breaks, so you can fix issues before they affect your email deliverability.
A clean, well-maintained SPF record isn't hard to achieve. It just takes a systematic approach and the discipline to review it regularly. Start with the audit process above, clean up what you find, and set your quarterly reminder. Your future self will thank you the next time you need to add a new email provider and have plenty of lookup headroom.
Related Articles
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring