What are common mistakes when creating SPF records?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Most SPF mistakes fall into a few predictable patterns. Here are the ones that actually break things in practice.
Multiple SPF records on the same domain. You can only have one SPF record per domain. If you add a second v=spf1 TXT record, you get a permanent error and SPF fails for every message. The fix is to merge everything into a single record.
Exceeding the 10-DNS-lookup limit. SPF limits you to 10 DNS lookups during evaluation. Each include:, a, mx, or redirect mechanism counts toward that limit. Add too many ESPs, CRMs, and mailing services and you blow past it fast. Use an SPF flattening tool if you're hitting the limit.
Forgetting to include services that send on your behalf. Every platform that sends email from your domain needs to be in your SPF record. That means your marketing ESP, your transactional mail service, your CRM, your helpdesk, any third-party tool that sends customer emails. Missing one means those emails fail SPF.
Using ptr mechanisms. The ptr mechanism does a reverse DNS lookup and is slow, unreliable, and officially discouraged by the SPF spec. Don't use it.
Misplacing the all mechanism. Everything after all is ignored. If you put -all before your include statements by accident, you've blocked everything you just tried to authorize.
Going straight to -all (hard fail) without testing. Hard fail is correct as a final destination, but if you haven't confirmed every legitimate sending source is included, you'll reject your own mail. Use ~all (soft fail) while you're building the record and switch to -all once you're confident.
Our free SPF checker validates your record and flags the most common errors before they start causing failures.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.