SPF Troubleshooting Guide
SPF (Sender Policy Framework) issues are among the most common email authentication problems. Misconfigured SPF records can cause legitimate email to be marked as spam or rejected entirely. This guide helps you identify and resolve the most frequent SPF errors.
Issue: Too Many DNS Lookups
Symptoms
- SPF returns
PermError - Error message mentions "too many DNS lookups"
- Authentication fails despite correct IP listing
Cause
SPF has a hard limit of 10 DNS lookups per evaluation. Each include, a, mx, ptr, and redirect mechanism counts toward this limit. Nested includes count too — if include:_spf.google.com triggers 3 more lookups, those all count.
Solutions
Option 1: Remove unnecessary mechanisms
# Before (potentially over limit)
v=spf1 include:_spf.google.com include:sendgrid.net include:mailchimp.com include:amazonses.com a mx -all
# After (reduced lookups)
v=spf1 include:_spf.google.com include:sendgrid.net include:mailchimp.com ip4:192.0.2.0/24 -all
Option 2: Use IP addresses directly
Replace include: with direct IP ranges when possible:
# Instead of include:thirdparty.com
ip4:203.0.113.0/24
Option 3: SPF flattening
Use a service that resolves your includes to IP addresses, reducing lookup count.
Option 4: Move senders to subdomains
# marketing.example.com
v=spf1 include:mailchimp.com -all
# example.com (fewer lookups)
v=spf1 include:_spf.google.com include:sendgrid.net -all
Issue: Missing Sender IP
Symptoms
- SPF returns
SoftFailorFail - Legitimate emails marked as spam
- A known sending service not passing SPF
Cause
The sending server's IP address isn't included in your SPF record.
Solution
- Identify the IP: Check email headers or DMARC aggregate reports
- Find the correct include: Most services document their SPF include value
- Update your SPF record:
v=spf1 include:_spf.google.com include:newservice.com -all
Common Service SPF Includes
| Service | Include Statement |
|---|---|
| Google Workspace | include:_spf.google.com |
| Microsoft 365 | include:spf.protection.outlook.com |
| SendGrid | include:sendgrid.net |
| Mailchimp | include:servers.mcsv.net |
| Amazon SES | include:amazonses.com |
| Salesforce | include:_spf.salesforce.com |
Issue: Multiple SPF Records
Symptoms
- Inconsistent SPF results
- SPF returns
PermError - Authentication behavior is unpredictable
Cause
Your DNS has more than one TXT record containing v=spf1. The SPF specification allows only one SPF record per domain.
Solution
Merge all SPF mechanisms into a single record:
# Wrong — two separate records
v=spf1 include:_spf.google.com -all
v=spf1 include:sendgrid.net -all
# Correct — single merged record
v=spf1 include:_spf.google.com include:sendgrid.net -all
Issue: SPF Syntax Errors
Common Errors and Fixes
Missing version tag:
# Wrong
include:_spf.google.com -all
# Correct
v=spf1 include:_spf.google.com -all
Incorrect mechanism syntax:
# Wrong
v=spf1 ip:192.0.2.1 -all
# Correct
v=spf1 ip4:192.0.2.1 -all
Missing all mechanism:
# Incomplete (no guidance for unlisted IPs)
v=spf1 include:_spf.google.com
# Complete
v=spf1 include:_spf.google.com -all
Issue: SPF Soft Fail vs Hard Fail
Explanation
| Mechanism | Meaning | Recommendation |
|---|---|---|
-all |
Hard fail — reject unlisted IPs | Use for maximum protection |
~all |
Soft fail — mark as suspicious | Use during testing |
?all |
Neutral — no opinion | Not recommended |
+all |
Pass all — defeats SPF | Never use |
Once you've verified all legitimate sources are listed, switch from ~all to -all:
# Testing (soft fail)
v=spf1 include:_spf.google.com ~all
# Production (hard fail)
v=spf1 include:_spf.google.com -all
Issue: SPF Changes Not Taking Effect
Cause
DNS changes take time to propagate globally. See our DNS Propagation guide for details.
Quick Fixes
- Verify the record is published:
nslookup -type=txt example.com - Lower TTL before making changes
- Wait for propagation (typically 1–4 hours)
- Test from multiple locations using online tools
Prevention Tips
- Document changes — Keep a record of all SPF modifications
- Test before deploying — Validate syntax before making DNS changes
- Monitor continuously — Use DMARC reports to catch SPF issues early
- Plan for growth — Leave room for new services within the 10-lookup limit
- Review quarterly — Audit your SPF record regularly and remove decommissioned services
Next Steps
- Learn how SPF works in detail
- Understand DMARC alignment and how it interacts with SPF
- Validate your SPF record with our free SPF Checker