Your Domain Has No SPF Record: What It Means and How to Fix It

You run your domain through MXToolbox. You get a bounce message that includes something like "SPF check failed." A deliverability report flags your domain as missing an SPF record. Whatever triggered it, the message is the same: your domain is not configured to tell the world which servers are allowed to send email on your behalf.

Here is what that means, how to verify it is actually true, and how to add an SPF record that covers your setup.

What an SPF record actually does

SPF (Sender Policy Framework) is a TXT record on your domain that lists the mail servers authorized to send email from it. When a receiving server gets a message claiming to be from [email protected], it checks the SPF record on example.com to see if the sending server is on the list.

If there is no SPF record, the receiving server has nothing to check against. Many servers will accept the message anyway and apply extra scrutiny to it. Others will treat the absence of SPF as a signal that the message is more likely to be spam or spoofed. Some strict configurations will reject it outright.

Missing SPF does not guarantee your email lands in spam, but it removes one of the main signals that your domain is a legitimate sender. Combined with missing DKIM or DMARC, it makes a strong case for the spam folder.

How to check if you actually have one

Before adding anything, verify the current state of your domain. A tool that flagged you might be outdated, caching old results, or checking the wrong domain.

Run this from a terminal:

dig TXT example.com

Or use nslookup:

nslookup -type=TXT example.com

Look through the results for a record that starts with v=spf1. That is an SPF record. If you do not see one, you do not have one.

A few things to check while you are looking:

Check the exact domain that sends email. SPF is checked against the domain in the envelope sender (the MAIL FROM address used during the SMTP handshake, which is often different from the visible From: header). For most domains this is the root domain, but if your bounce address or envelope sender uses a subdomain like bounces.example.com, the SPF record needs to live there too.

Check for duplicates. You are only allowed one SPF record per domain. If dig TXT returns two records starting with v=spf1, that is itself a configuration error. Receiving servers will reject both when they encounter multiple SPF records, so two broken SPF records is worse than none.

What a valid SPF record looks like

v=spf1 include:_spf.google.com ~all

Breaking it down:

• v=spf1 marks this as an SPF record. Required, always first.
• include:_spf.google.com delegates to Google's list of authorized sending IPs. Use include: when your mail provider publishes their own SPF list, which most do.
• ~all is the fallback. A tilde means "soft fail": mail from unlisted sources is suspicious but not automatically rejected. A hyphen (-all) means "hard fail": reject it outright. Most domains use ~all permanently rather than -all because hard fail can cause legitimate mail to be rejected in edge cases, such as when recipients forward email through a third-party service.

Common variations you will see:

v=spf1 ip4:203.0.113.1 ~all

This directly authorizes a specific IP address. Use ip4: for IPv4 addresses and ip6: for IPv6.

v=spf1 include:sendgrid.net include:_spf.google.com ~all

Multiple include: entries are fine. Each one adds the sending IPs from that provider's published list to your authorized senders.

How to add an SPF record

Go to your DNS provider and add a TXT record on your root domain (leave the hostname field blank, or enter @ depending on your provider). The value is your SPF string.

If you are unsure what to put in it, start with what you actually use to send email:

1. Find out which service or server sends your email (Google Workspace, Microsoft 365, Mailgun, SendGrid, Postmark, your own mail server, etc.)
2. Look up that provider's SPF include string. Most providers document it: Google uses include:_spf.google.com, Microsoft 365 uses include:spf.protection.outlook.com, Mailgun uses include:mailgun.org.
3. Combine any you need into one record, ending with ~all.

If you send email from multiple providers, include all of them in the same record:

v=spf1 include:_spf.google.com include:mailgun.org ~all

After adding the record, propagation typically takes a few minutes to a few hours depending on your TTL. You can verify it is live with dig TXT yourdomain.com again, or use MXToolbox's SPF checker to confirm the record is being read correctly.

Two mistakes that break SPF even when a record exists

Multiple SPF records. You can only have one SPF record per domain. If you have an existing record and add a second one to cover a new mail provider, both break. Receiving servers return a permerror when they find two v=spf1 records and treat it as a failure. Always edit the existing record to add new include: entries rather than creating a second one.

Too many DNS lookups. SPF has a limit of 10 DNS lookups during evaluation. Each include: entry counts as one lookup, and some providers chain their own lookups internally. If you have SPF records from many different providers, you can hit this limit and cause SPF evaluation to fail with a permerror. MyDMARC's SPF checker will count your lookup depth and flag if you are over the limit.

How DNS monitoring fits in

Once your SPF record is in place, the next risk is that it gets changed without you knowing: someone edits the record, adds an unauthorized sender, or removes a restriction. Any of those changes would be silent without monitoring.

OneDollarDNS monitors your TXT records alongside every other record type and alerts you when a value changes. If your SPF record is modified, you will know before you start seeing deliverability problems or before an unauthorized sending source goes unnoticed.

For more on what each email authentication record does and how they work together, see DNS TXT Records: SPF, DKIM, and DMARC All Live Here. For what to do once you receive a DNS change alert, see What to Do When DNS Monitoring Alerts You.