SPF Record Not Working? A Step-by-Step Troubleshooting Guide
Your SPF record isn't working and emails are failing authentication. Walk through these systematic troubleshooting steps to find and fix the problem.
Last updated: 2026-05-16
You've set up an SPF record, but your emails are still failing authentication—or landing in spam. Before you start changing things at random, let's work through a systematic diagnosis. Most SPF issues fall into a handful of common problems, and checking them in order will save you a lot of time. For a full reference on SPF setup, see our complete SPF guide.
Step 1: Confirm the Record Actually Exists
The most basic issue is that no SPF record is published for your domain. This happens more often than you'd think—maybe the record wasn't saved properly, or it was added to the wrong domain.
Enter your domain above. If the tool says no SPF record was found, head to your DNS provider and verify you've added a TXT record that starts with v=spf1. If you need help creating one from scratch, SPF Creator can generate the correct syntax for you.
Step 2: Check for Multiple SPF Records
This is one of the most common causes of SPF failure. Your domain is only allowed to have one SPF record (RFC 7208 Section 3.4). If you have two or more TXT records starting with v=spf1, the result is an automatic PermError—meaning every SPF check fails, no matter what's in the records.
This usually happens when someone adds a new SPF record instead of editing the existing one. For example, if you already had an SPF record for Google Workspace and then added a separate one for Mailchimp, you'd end up with two records—and both would be broken.
The fix: Combine everything into a single record. Instead of two records like:
v=spf1 include:_spf.google.com ~all
v=spf1 include:servers.mcsv.net ~all
Merge them into one:
v=spf1 include:_spf.google.com include:servers.mcsv.net ~all
For more details on this error, see our guide on SPF PermError.
Step 3: Verify the Syntax Is Correct
Even a small typo can break your entire SPF record. Common syntax mistakes include:
- Missing
v=spf1at the beginning - Extra spaces or special characters
- Misspelled mechanism names (like
incldeinstead ofinclude) - Using colons or semicolons in the wrong places
Watch for invisible characters
If you copied your SPF record from a website, email, or document, it may contain hidden characters like smart quotes or non-breaking spaces. These look identical to normal characters but will break your record. Try retyping the record manually if you suspect this.
Our checker tool above will flag syntax errors and tell you exactly where the problem is. You can also review our full list of common SPF errors for specific error codes and fixes.
Step 4: Count Your DNS Lookups
SPF has a hard limit of 10 DNS lookups per evaluation. Every include, a, mx, and redirect mechanism in your record counts as at least one lookup—and nested includes inside those count too. If your total exceeds 10, the result is a PermError.
This is a sneaky problem because your record can look perfectly fine but still fail. Each include statement pulls in another SPF record, which might contain its own includes. Those add up fast.
How to check: The lookup tool above shows your total DNS lookup count. If you're over 10, you'll need to optimize. Options include:
- Replacing
includestatements withip4orip6mechanisms where possible (these don't count as lookups) - Removing services you no longer use
- Looking into SPF flattening
Read more in our detailed guide on the SPF 10 DNS lookup limit.
Step 5: Check the Return-Path Domain
This is the most misunderstood part of SPF. SPF does not check the "From" address that you see in your inbox. It checks the Return-Path domain (also called the envelope sender, or MAIL FROM in SMTP terms).
Why does this matter? Many email services send from a Return-Path domain that's different from your visible From address. For example, Mailchimp might use a Return-Path like bounce.mcsv.net instead of yourdomain.com. In that case, your domain's SPF record isn't even being checked—Mailchimp's is.
How to check: Look at the email headers of a failing message. Find the Return-Path header and note the domain. That's the domain whose SPF record matters for that particular email.
SPF vs DKIM confusion
If you see spf=pass but emails are still going to spam, the issue probably isn't SPF at all. It might be a DKIM or DMARC alignment problem. Use a DKIM test and DMARC checker to verify those records too.
Step 6: Wait for DNS Propagation
If you just created or updated your SPF record, DNS changes don't take effect instantly. Depending on your DNS provider and the TTL (time to live) setting, it can take anywhere from a few minutes to 48 hours—though most changes propagate within 1 to 4 hours.
What to do: Wait at least an hour, then check again with the tool above. If you're still not seeing your changes after 4 hours, verify that you saved the record correctly at your DNS provider.
Step 7: Make Sure You're Checking the Right Domain
It sounds obvious, but double-check that your SPF record is on the correct domain. If your email address is you@company.com, the SPF record needs to be on company.com—not www.company.com, not a subdomain, and not a different domain you also own.
If your email service sends from a subdomain (like mail.company.com), you need an SPF record on that subdomain specifically. Remember that subdomains do not inherit SPF records from the parent domain.
Common Red Herrings
Before you keep troubleshooting SPF, make sure the problem is actually SPF-related:
- "My emails go to spam" — SPF is only one of many signals. Domain reputation, content quality, sending patterns, and DKIM/DMARC all play a role. Check your overall email authentication with the Email Deliverability Suite.
- "SPF passed but the email still bounced" — The bounce is likely unrelated to SPF. Check for recipient-side issues like full mailboxes or invalid addresses.
- "I changed my SPF record but it still shows the old one" — DNS propagation takes time. Clear your DNS cache and wait.
When to Contact Your DNS Provider
If you've gone through all the steps above and everything looks correct but SPF is still failing, it's time to reach out to your DNS provider. Ask them to:
- Confirm your TXT record is published correctly
- Check for any DNS propagation issues on their end
- Verify there are no restrictions on TXT record length (some providers truncate long records)
Some DNS providers have character limits on TXT records that can silently cut off part of your SPF record, which breaks the syntax.
Keep Your SPF Record Healthy
SPF issues often creep in over time—someone adds a new email service without updating the record, a provider changes their include domain, or DNS lookups slowly accumulate past the limit. Regular monitoring catches these problems before they affect your email delivery.
References
- RFC 7208: Sender Policy Framework (SPF) — The current SPF specification
- RFC 7208 Section 3.4: Record Lookup — Only one SPF record per domain
- RFC 7208 Section 4.6.4: DNS Lookup Limits — The 10 DNS lookup limit
- RFC 5321: Simple Mail Transfer Protocol (SMTP) — Defines the MAIL FROM (Return-Path) used by SPF
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring