How to Fix Your SPF Record
An SPF finding on a domain security scan usually means your SPF record is missing, misconfigured, or doesn't cover all the services that send email on your behalf. Here's what it means and how to fix it.
What this finding means
SPF (Sender Policy Framework) is a DNS TXT record that lists the IP addresses and mail servers authorised to send email from your domain. When a receiving server gets an email claiming to be from your domain, it checks your SPF record to see if the sending server is on the approved list.
Common findings include:
- No SPF record — any server can send email as your domain
- SPF uses
~all(softfail) — unauthenticated senders are flagged but not blocked - SPF doesn't cover all mail servers — a service sending email on your behalf isn't listed
- SPF has too many DNS lookups — SPF is limited to 10 DNS lookups; exceeding this causes validation failure
Why it matters
Without a properly configured SPF record, spammers and phishers can send email that appears to come from your domain. SPF is also one of the two authentication mechanisms (alongside DKIM) that DMARC uses to make its enforcement decision.
How to fix it — step by step
Step 1: Check your current SPF record
Your SPF record is a TXT record at your root domain. It looks like:
v=spf1 include:spf.protection.outlook.com ~all
Step 2: Identify all services that send email from your domain
Common ones include: Microsoft 365, Google Workspace, Mailchimp, Salesforce, HubSpot, SendGrid, Zendesk, your web hosting provider. Each needs an include: entry in your SPF record.
Step 3: Build your updated SPF record
v=spf1 include:spf.protection.outlook.com include:sendgrid.net -all
v=spf1— required openinginclude:— adds the sending ranges of a third-party providerip4:— adds a specific IP address directly-all— hard fail: reject emails from unlisted sources (recommended)~all— soft fail: flag but deliver (less protective)
Step 4: Update the DNS TXT record
Log in to your DNS provider and update the TXT record at your root domain. There must be exactly one SPF record — multiple SPF records cause validation failure.
Common SPF include values by mail provider
| Provider | SPF include |
|---|---|
| Microsoft 365 | include:spf.protection.outlook.com |
| Google Workspace | include:_spf.google.com |
| Mailchimp | include:servers.mcsv.net |
| SendGrid | include:sendgrid.net |
| Resend | include:_spf.resend.com |
| Zendesk | include:mail.zendesk.com |
The 10 DNS lookup limit
SPF allows a maximum of 10 DNS lookups when evaluated. If your record exceeds this (common when using many third-party senders), validation fails. If this is your situation, consider using an SPF flattening service or consolidating your sending providers.
Verify it worked
Scan your domain at mydomainrisk.com — the SPF finding will update to show pass status once your record is correctly configured.
Check your SPF record now
MyDomainRisk analyses your SPF record, checks coverage against your MX records, and flags soft fail vs hard fail — free.
Scan your domain free →