SPF Record Troubleshooting Guide
Diagnose and fix SPF record problems. Solutions for SPF not found, too many lookups, permerror, softfail, and other common SPF failures.
Something is wrong with your SPF record. Maybe your emails are landing in spam. Maybe a monitoring tool flagged an error. Maybe you're staring at a bounce message that says "SPF check failed" and you have no idea why.
This guide is structured as a problem-solution reference. Find your specific issue below, understand what's causing it, and follow the steps to fix it.
Start Here: Diagnose the Problem
Before diving into specific fixes, run a quick diagnostic:
Check your SPF record with a lookup tool
Go to SPF Record Check and enter your domain. This will show you your current SPF record, validate the syntax, count DNS lookups, and flag any issues.
Check email headers for SPF results
Open a recent email that had delivery issues. Find the Authentication-Results header. Look for the spf= value — it will say pass, fail, softfail, none, temperror, or permerror.
Identify the specific error
Match the error you're seeing to one of the sections below. Each section covers symptoms, causes, and exact fix steps.
If you don't have an SPF record yet and need to create one from scratch, use our SPF record creator to generate a valid record, then come back here if you run into issues.
Problem: "No SPF Record Found"
Symptoms
- SPF lookup tools report "No SPF record found" or "SPF record missing"
- Email headers show
spf=none - DMARC reports show SPF result as "none" for your domain
Causes
The record doesn't exist. You haven't published an SPF TXT record for your domain yet.
Wrong record type. You added the SPF record as the wrong DNS record type. SPF records must be TXT records. Some older DNS interfaces still show an "SPF" record type — this is deprecated and not recognized by modern mail servers.
Wrong domain. You added the record to a subdomain instead of the root domain, or to the wrong domain entirely.
Propagation delay. You just added the record and DNS hasn't propagated yet.
How to Fix
Verify the record exists in your DNS provider
Log in to your DNS management dashboard and look for a TXT record on the root domain (@) that starts with v=spf1. If it's not there, you need to create one.
Confirm it's a TXT record, not an SPF record type
If your DNS provider has a separate "SPF" record type, delete it and recreate it as a TXT record. The SPF record type was deprecated in RFC 7208 and is ignored by most mail servers.
Check the hostname
The SPF record should be on @ (root domain) or the exact domain you send email from. If you send from example.com, the record goes on example.com, not mail.example.com.
Wait for propagation if you just added it
DNS changes can take up to a few hours to propagate. Check with SPF Record Check after 15-30 minutes. See our propagation guide for details.
Problem: "Multiple SPF Records Found"
Symptoms
- SPF checker reports "Multiple SPF records" or "Duplicate SPF records"
- Email headers show
spf=permerror - Inconsistent SPF results (sometimes pass, sometimes fail)
Cause
Your domain has two or more TXT records that start with v=spf1. This is a fatal error — RFC 7208 specifies that a domain must have exactly one SPF record. When multiple exist, the SPF check returns permerror and authentication fails for every email.
This usually happens when different people or departments add their own SPF records without checking what already exists.
How to Fix
Find all SPF records
Use SPF Record Check or run dig TXT yourdomain.com to list all TXT records. Identify every record starting with v=spf1.
Merge into a single record
Combine all the mechanisms from both records into one. For example, if you have v=spf1 include:_spf.google.com -all and v=spf1 include:sendgrid.net -all, merge them into v=spf1 include:_spf.google.com include:sendgrid.net -all.
Delete the extra record(s)
Remove all but one SPF TXT record from your DNS. Keep the merged one.
Verify the merged record
Check that the single remaining record is valid, under 10 DNS lookups, and includes all your sending sources.
Your domain can have multiple TXT records for different purposes (DMARC verification, domain ownership, etc.). The rule is that only one TXT record can start with v=spf1.
Problem: "Too Many DNS Lookups"
Symptoms
- SPF checker reports "Too many DNS lookups" or "Exceeds 10 lookup limit"
- Email headers show
spf=permerror - SPF evaluation fails even though all your includes are correct
Cause
The SPF specification limits evaluation to 10 DNS lookups. Every include, a, mx, exists, and redirect mechanism counts toward this limit — including those nested inside included records. When the limit is exceeded, SPF returns permerror and is treated as a failure.
How to Fix
Count your actual lookups
Use SPF Record Check to see your total lookup count including nested includes. Don't count manually — nested lookups are easy to miss.
Remove unused includes
Audit your sending services. If you stopped using a provider, remove their include. This is the fastest way to free up lookups.
Replace includes with ip4 where possible
If a service gives you dedicated sending IPs, use ip4: instead of include:. IP mechanisms don't count toward the 10-lookup limit.
Move services to subdomains
Send marketing email from marketing.yourdomain.com and transactional email from mail.yourdomain.com. Each subdomain gets its own SPF record with its own 10-lookup budget.
Consider SPF flattening as a last resort
If none of the above is enough, SPF flattening resolves includes into IP addresses. But this requires ongoing automation. See our SPF flattening guide for details.
For a deep dive, see our SPF 10 DNS Lookup Limit article.
Get alerted before lookup limits break your email
Monitor your SPF record health daily. Catch problems like lookup limit changes when providers update their records.
Problem: "SPF Softfail/Fail for Legitimate Email"
Symptoms
- Email headers show
spf=softfailorspf=failfor email you actually sent - Legitimate email landing in spam
- DMARC reports show SPF failures from IP addresses you recognize
Cause
A legitimate sending source isn't listed in your SPF record. The receiving server checks the sending IP against your SPF record, doesn't find a match, and returns softfail (with ~all) or fail (with -all).
Common culprits:
- A new email service was added but nobody updated the SPF record
- A service changed its sending IPs and you're using hardcoded
ip4instead of theirinclude - Your web server sends transactional email (password resets, order confirmations) but its IP isn't in the SPF record
- A CRM or helpdesk tool was configured to send email as your domain
How to Fix
Identify the failing IP address
Check the Authentication-Results header of a failed email. It will show which IP address was checked. Alternatively, look at DMARC aggregate reports for the source IP.
Determine which service uses that IP
Search for the IP address to identify the service. You can use reverse DNS lookup or check the IP against known provider ranges.
Add the missing service to your SPF record
Add the appropriate include: mechanism for the service. If it's your own server, add its IP with ip4:. Use SPF Creator to regenerate your record with all services included.
Verify the updated record
Confirm the record is valid and still under 10 lookups after adding the new mechanism.
Don't just switch from -all to ~all to "fix" the problem. That hides the symptom without addressing the cause. Find the missing source and add it properly.
Problem: "SPF Permerror" (Syntax Error)
Symptoms
- SPF checker reports "Permerror" or "Syntax error"
- Email headers show
spf=permerror - All email from your domain fails SPF regardless of sender
Cause
Your SPF record has a syntax error that makes it unparseable. Common syntax mistakes include:
- Missing
v=spf1prefix - Typos in mechanism names (
inclueinstead ofinclude) - Semicolons or commas instead of spaces between mechanisms
- Extra spaces or special characters
- Invalid IP addresses or CIDR notation
- Missing colon after mechanism names (
include_spf.google.cominstead ofinclude:_spf.google.com)
How to Fix
Identify the exact syntax error
Use SPF Record Check — it will highlight where the syntax error is.
Regenerate the record from scratch
Rather than trying to patch a broken record, use SPF Creator to build a new one from your list of sending services. This eliminates typos and formatting issues.
Replace the old record
Delete the broken TXT record and add the new one. Verify with a lookup tool that the new record is valid.
Here are the most common syntax errors and their fixes:
# WRONG: Missing v=spf1 prefix
include:_spf.google.com -all
# CORRECT
v=spf1 include:_spf.google.com -all
# WRONG: Semicolons instead of spaces
v=spf1;include:_spf.google.com;-all
# CORRECT
v=spf1 include:_spf.google.com -all
# WRONG: Typo in mechanism name
v=spf1 inclde:_spf.google.com -all
# CORRECT
v=spf1 include:_spf.google.com -all
# WRONG: Missing colon after include
v=spf1 include _spf.google.com -all
# CORRECT
v=spf1 include:_spf.google.com -all
Problem: "SPF Temperror"
Symptoms
- Email headers show
spf=temperror - Intermittent SPF failures (works sometimes, fails sometimes)
- DMARC reports show occasional temperror results
Cause
A DNS timeout occurred during SPF evaluation. The receiving server tried to look up your SPF record (or one of the included domains) and the DNS query timed out or failed.
This is usually not your fault. Temperrors are caused by:
- Temporary DNS server outages (yours or an included domain's)
- Network congestion between the receiving server and DNS
- DNS server overload during high-traffic periods
How to Fix
Temperrors are almost always transient. However, if they're persistent:
- Check your DNS provider's status page for outages
- Reduce nested includes to minimize the number of DNS queries needed during evaluation
- Use a reliable DNS provider — if your DNS is hosted on a shared server with frequent issues, consider migrating to Cloudflare, Route 53, or Google Cloud DNS
- Monitor over time — occasional temperrors in DMARC reports are normal. Persistent temperrors indicate a DNS infrastructure problem
Most receiving servers handle temperrors gracefully by deferring the message and retrying later. Your email usually gets delivered on the retry. Only persistent temperrors cause real delivery problems.
Problem: "Domain Not Found in SPF" (Wrong Include)
Symptoms
- SPF checker reports "void lookup" or "domain not found"
- An include points to a domain that doesn't have an SPF record
- Your SPF record approaches or exceeds the 2 void lookup limit
Cause
One of the include: domains in your SPF record doesn't exist or doesn't have its own SPF TXT record. This triggers a "void lookup" — a DNS query that returns nothing. RFC 7208 limits you to 2 void lookups before returning permerror.
Common reasons:
- Typo in the include domain (
include:_spf.goggle.cominstead of_spf.google.com) - The service changed their SPF include domain and you have the old one
- The service was discontinued and their DNS records were removed
- You copied an include from an outdated guide or forum post
How to Fix
Identify the invalid include
Run your domain through SPF Record Check. It will flag which includes fail to resolve.
Find the correct include value
Check the service provider's current documentation for their SPF include. Search their help center for "SPF" or "email authentication." If the service no longer exists, remove the include entirely.
Update your SPF record
Replace the incorrect include with the correct one, or remove it if the service is no longer in use.
Problem: SPF Record Too Long
Symptoms
- DNS provider rejects the record or truncates it
- SPF checker shows the record is incomplete or cut off
- The record works in some DNS tools but not others
Cause
DNS TXT records have a 255-character limit per string. If your SPF record exceeds 255 characters, it needs to be split into multiple strings within a single TXT record. Most DNS providers handle this automatically, but some don't.
The practical limit for the entire SPF record (all strings concatenated) is around 450-500 characters. Beyond that, you're hitting real DNS constraints.
How to Fix
- If your provider doesn't auto-split: Manually split the record into multiple strings of 255 characters or fewer. The DNS protocol concatenates them automatically:
"v=spf1 include:_spf.google.com include:sendgrid.net " "include:spf.mandrillapp.com include:mail.zendesk.com -all" - If the total record is too long: You have too many mechanisms. Use subdomains to split sending services, replace includes with
ip4addresses, or consolidate providers. See the "Too Many DNS Lookups" section above — the solutions overlap. - Switch to a provider that handles long records: Cloudflare and Route 53 handle string splitting automatically and support longer TXT records.
Problem: Changes Not Taking Effect
Symptoms
- You updated your SPF record but lookup tools still show the old one
- SPF results haven't changed after making a DNS edit
- Some resolvers show the new record but others show the old one
Cause
DNS propagation. After you change a DNS record, the change needs to propagate across the global network of DNS resolvers. This takes anywhere from a few minutes to 48 hours depending on your TTL settings.
How to Fix
- Wait. Most changes propagate within 1-4 hours.
- Check authoritative DNS directly to confirm the change was saved: query your specific nameserver rather than a public resolver.
- Lower TTL before future changes. Set the TTL to 300 (5 minutes) before making changes, wait for the old TTL to expire, then make the change. See our SPF record propagation guide for the full process.
- Confirm the change was saved. Some DNS dashboards require clicking a separate "Save" or "Apply" button. Double-check that your change actually persisted.
If your DNS provider shows the correct record but external lookups don't, it's almost certainly a caching/propagation issue. Don't make additional changes — each change restarts the propagation clock.
Quick Reference: SPF Error Codes
| Result | Meaning | Likely Cause | Action |
|---|---|---|---|
| pass | Sender is authorized | Everything is working correctly | No action needed |
| fail | Sender is not authorized | Missing include or IP in SPF record | Add the sending source to your record |
| softfail | Sender is probably not authorized | Missing include with ~all policy | Add the sending source or investigate |
| none | No SPF record exists | Record missing or wrong record type | Create an SPF record |
| neutral | No opinion | Record uses ?all (not recommended) | Change to ~all or -all |
| permerror | Permanent error | Syntax error, too many lookups, or multiple records | Fix the specific error |
| temperror | Temporary error | DNS timeout or server issue | Usually resolves on its own |
When to Start Over
Sometimes the fastest fix is to rebuild your SPF record from scratch rather than patching an existing one. Consider starting over if:
- You have multiple overlapping syntax errors
- You're not sure which includes are still needed
- The record has been modified by multiple people over time and nobody documented the changes
- You inherited a domain with an SPF record you don't understand
Use SPF Creator to generate a clean record based on your current sending services. Then verify it with SPF Record Check before publishing.
Make sure your email authentication is complete with DKIM and DMARC alongside your SPF record. All three protocols work together to protect your domain.
Related Articles
Monitor Your New SPF Record
You've created your SPF record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring