SPF Record Checker: How to Find and Fix SPF Issues
An SPF record checker helps you find one of the most common causes of email authentication problems: a domain that does not clearly authorize the systems sending email on its behalf. If your SPF record is missing, malformed, duplicated, too broad, or overloaded with too many includes, receiving servers may distrust your messages, reject them, or treat them as suspicious.
This guide explains how to use an SPF record checker, what every common SPF result means, how to fix the issues safely in DNS, and how SPF fits with DKIM, DMARC, cold outreach, newsletters, and transactional email. It is written for founders, marketers, RevOps teams, agencies, and technical operators who need practical answers rather than vague DNS advice.
The short version: check your domain's SPF record before every serious email campaign, after every sender change, and whenever deliverability drops. You should have one SPF TXT record at the root sending domain, it should include every legitimate sending service, it should stay under the DNS lookup limit, and it should end with a policy mechanism such as `~all` or `-all` depending on how confident you are in the setup.
Use BuffSend's free SPF Record Checker to inspect your domain before you send.
Try the BuffSend SPF Record Checker
Enter your domain below to open BuffSend's SPF Record Checker and inspect the TXT records published for that domain. Use the root sending domain, not a full URL. For example, use `example.com`, not `https://www.example.com`.
What Is an SPF Record?
SPF stands for Sender Policy Framework. It is an email authentication method that lets a domain owner publish which mail servers and services are allowed to send email for that domain. Receiving servers can check that DNS record when a message arrives and decide whether the sending server is authorized.
The formal SPF specification is RFC 7208, which defines how SPF records are published and evaluated. Most teams do not need to read the full RFC to fix everyday SPF issues, but it is the authority behind the rules that tools enforce.
What an SPF record looks like
A basic SPF record is published as a DNS TXT record. It usually starts with `v=spf1`, lists one or more authorized sources, and ends with an `all` mechanism that tells receivers what to do with everything else.
Example:
v=spf1 include:_spf.google.com include:sendgrid.net ~allIn that example, the domain authorizes Google and SendGrid to send email. The `~all` at the end means mail from other sources should soft fail.
What SPF actually checks
SPF does not directly validate the visible From address that the recipient sees in the email client. SPF checks the envelope sender, also called the return-path or MAIL FROM domain. DMARC then uses SPF alignment to decide whether SPF can help authenticate the visible From domain.
Why this distinction matters
A message can pass SPF for one domain but fail DMARC alignment for another if the domains do not match in the way DMARC expects. This is why SPF should not be managed in isolation. SPF, DKIM, and DMARC work together, and Google recommends setting up all three in its official email sender guidelines.
SPF vs DKIM vs DMARC
SPF says which servers can send. DKIM signs the message so receivers can verify that the content and headers were authorized. DMARC ties SPF and DKIM to the visible From domain and tells receivers what policy to apply when authentication fails.
| Authentication Layer | What It Does | Common Failure |
|---|---|---|
| SPF | Authorizes sending servers for a domain. | Missing source, duplicate SPF record, too many DNS lookups. |
| DKIM | Cryptographically signs messages from an authorized domain. | Wrong selector, missing DNS key, provider not signing mail. |
| DMARC | Checks SPF or DKIM alignment and publishes domain policy. | No policy, bad alignment, reports not monitored. |
Why Use an SPF Record Checker?
DNS records are easy to edit incorrectly. SPF is especially fragile because a domain should normally publish one SPF record, but every email vendor tells you to "add this SPF include." Over time, teams pile multiple TXT records and includes into DNS until authentication becomes confusing or broken.
An SPF checker finds problems before inbox providers do
If you wait until Gmail, Microsoft 365, Yahoo, or corporate mail gateways start rejecting messages, you are already late. An SPF checker helps you catch problems while they are still configuration issues, not campaign incidents.
An SPF checker makes vendor changes safer
Every time you add a sending provider, CRM, help desk, newsletter platform, transactional email provider, sales engagement tool, or billing system, your SPF record may need an update. Checking the domain after the change confirms that you did not accidentally remove an existing source or create a duplicate record.
An SPF checker helps non-DNS experts review risk
Marketers and sales teams often feel blocked by DNS terminology. A good SPF checker translates the published TXT record into practical questions: is there an SPF record, is there more than one, which services are included, and does the record look syntactically valid?
How to Check an SPF Record
The checking process is simple, but the details matter. You need to check the domain that appears in your sending identity and understand which systems actually send email for it.
Step 1: Identify the sending domain
Start with the domain used in your sender address. If your campaign sends from `alex@example.com`, check `example.com`. If you send from `updates@mail.example.com`, check `mail.example.com` if that subdomain has its own mail configuration.
Root domain vs subdomain
SPF is checked against the envelope sender domain, not always the visible From domain. Still, checking the visible sending domain is a practical first step. If your platform uses a custom bounce or return-path subdomain, check that subdomain too.
Step 2: Open the SPF checker
Use the BuffSend SPF Record Checker, enter the domain, and review the result. You are looking for whether a record exists, whether it starts with `v=spf1`, whether there are duplicates, and whether the sending services are authorized.
Step 3: Compare SPF sources with actual senders
Make a list of every system that sends email for the domain. This often includes Google Workspace, Microsoft 365, a CRM, a sales engagement platform, a marketing automation platform, a transactional email service, customer support software, billing software, and monitoring tools.
If a system sends mail but is not represented in SPF, that mail may fail SPF. If a system no longer sends mail but remains in SPF, remove it during cleanup to reduce complexity.
Step 4: Check the policy ending
Most SPF records end in `~all`, `-all`, `?all`, or `+all`. These mechanisms tell receivers how to treat senders not otherwise matched by the record.
| Ending | Name | Meaning | Common Use |
|---|---|---|---|
| ~all | Soft fail | Other senders are probably unauthorized. | Common default while monitoring setup. |
| -all | Hard fail | Other senders are unauthorized. | Use when you are confident every sender is listed. |
| ?all | Neutral | No strong statement about other senders. | Temporary or weak policy. |
| +all | Pass all | Everyone is allowed. | Avoid. It defeats the purpose of SPF. |
Step 5: Recheck after DNS changes propagate
After editing DNS, wait for propagation based on your DNS TTL, then check again. Some changes appear quickly; others take longer. Do not assume the update is live until an external checker sees the expected record.
Common SPF Issues and How to Fix Them
Most SPF problems fall into a small set of categories. The fix is usually straightforward, but you should make changes carefully because SPF affects every service that sends mail for the domain.
Issue 1: No SPF Record Found
This means the domain does not publish a TXT record starting with `v=spf1`. Receiving servers cannot use SPF to confirm which systems are authorized to send for the domain.
How to fix it
Create one TXT record for the sending domain. Include your legitimate mail provider. For Google Workspace, Google documents SPF setup in its SPF setup guide. For Microsoft 365, Microsoft documents the recommended value in its SPF setup guidance.
Example Google Workspace record:
v=spf1 include:_spf.google.com ~allExample Microsoft 365 record:
v=spf1 include:spf.protection.outlook.com -allIssue 2: Multiple SPF Records
A domain should not publish multiple SPF TXT records at the same name. If you have two records starting with `v=spf1`, SPF can return a permerror. This commonly happens when each vendor's setup guide is followed independently and nobody merges the values.
How to fix it
Merge authorized sources into one SPF record. Do not keep separate SPF records for Google, Microsoft, SendGrid, Mailgun, Postmark, or a CRM. Combine the mechanisms into one record.
Bad:
v=spf1 include:_spf.google.com ~all
v=spf1 include:sendgrid.net ~allBetter:
v=spf1 include:_spf.google.com include:sendgrid.net ~allIssue 3: SPF Record Missing a Sending Service
If your team sends through a platform that is not included in SPF, messages from that platform may fail SPF. This often happens after adding a sales tool, help desk, billing platform, or new transactional email service.
How to fix it
Find the vendor's SPF include value and merge it into the existing record. Then send test mail and check authentication results in the message headers. If the provider uses DKIM and a custom return-path instead of requiring SPF alignment, follow the provider's exact setup instructions.
Issue 4: Too Many DNS Lookups
SPF has a DNS lookup limit. RFC 7208 specifies that mechanisms and modifiers that cause DNS lookups are limited during SPF evaluation. In practical terms, `include`, `a`, `mx`, `ptr`, `exists`, and `redirect` can contribute to the lookup count. If the record requires too many lookups, SPF can fail with a permanent error.
How to fix it
Remove unused providers, avoid broad `a` and `mx` mechanisms when unnecessary, and consolidate services. If a vendor include expands into many nested lookups, ask the vendor for a more efficient SPF pattern or use a dedicated sending subdomain where appropriate. Be careful with SPF flattening tools; they can help, but flattened IPs can go stale when vendors change infrastructure.
Issue 5: SPF Record Uses +all
`+all` allows every sender. That means any server can pass SPF for your domain, which defeats the purpose of SPF. You should almost never use it for a real sending domain.
How to fix it
Replace `+all` with a safer policy. Most domains start with `~all` while confirming legitimate sources. Domains with well-managed mail infrastructure may move to `-all` after testing.
Issue 6: SPF Record Is Too Strict Too Soon
A strict `-all` policy can be appropriate when every legitimate sender is known and tested. But if you use it before identifying all senders, legitimate messages may fail SPF.
How to fix it
Audit all sending sources before moving to `-all`. Start with `~all`, monitor authentication, verify DMARC reports if available, then tighten when you are confident. For high-risk domains, make changes gradually.
Issue 7: SPF Published on the Wrong Domain
Some teams publish SPF on `www.example.com` when they send from `example.com`, or they configure SPF for the root domain while the mail platform uses a return-path subdomain. The record must be published where the receiving server checks it.
How to fix it
Check the sending domain and return-path domain used by your mail provider. Publish the SPF TXT record at the correct DNS name. Use test messages and headers to confirm which domain SPF is evaluating.
SPF Record Syntax Explained
SPF syntax looks intimidating at first, but most records are made from a small set of mechanisms. Once you understand the common pieces, checker results become much easier to act on.
v=spf1
Every SPF record begins with `v=spf1`. If a TXT record does not start with that value, it is not an SPF record. A checker should flag missing or malformed version tags.
include
`include` authorizes another domain's SPF record. This is how most SaaS email providers ask you to authorize them.
include:_spf.google.comUse includes only for services that truly send mail for your domain. Old includes should be removed.
ip4 and ip6
`ip4` and `ip6` authorize specific IP addresses or ranges. These are useful for owned infrastructure or static vendor IPs.
ip4:192.0.2.10
ip6:2001:db8::/32Do not add random IPs unless you know they send mail for your domain.
a and mx
`a` authorizes the IP addresses in the domain's A records. `mx` authorizes the mail exchangers listed in MX records. These can be convenient, but they also create DNS lookups and may authorize more than you intend.
redirect
`redirect` tells SPF evaluation to use another domain's SPF record instead of continuing with the current one. It is less common in everyday marketing setups and should be used carefully.
all
`all` matches everything not already matched. It is normally the last mechanism in the record. The qualifier before it matters: `~all`, `-all`, `?all`, or `+all`.
How to Fix SPF Without Breaking Email
SPF fixes should be deliberate. DNS changes can affect sales emails, product notifications, invoices, password resets, support messages, and marketing campaigns. Do not edit SPF casually during a live send.
Step 1: Build a sender inventory
List every service that sends mail using the domain. Include obvious services like Google Workspace or Microsoft 365, but also support desks, billing tools, product apps, CRMs, sales tools, webinar platforms, monitoring systems, and transactional email providers.
Ask three teams
Ask marketing, sales, and engineering what sends email. SPF often breaks because one team changes DNS without knowing another team uses the same domain.
Step 2: Compare inventory to the current SPF record
Run the SPF checker and map each mechanism to a real sender. If you cannot explain why an include or IP is present, investigate before removing it. If nobody owns it and no recent messages use it, mark it for cleanup.
Step 3: Create the merged record
Build one SPF record that includes the required sources. Keep it as short as possible. Avoid adding both vendor includes and IP ranges unless the vendor specifically requires it.
Step 4: Publish at a low-risk time
Make changes outside major campaign launches or important billing cycles. Lower the TTL in advance if your DNS provider allows it and you expect multiple edits.
Step 5: Send test messages and inspect headers
After DNS propagation, send test messages from each major sending source and inspect authentication results. You want SPF pass where expected, DKIM signing active, and DMARC alignment satisfied by SPF or DKIM.
Step 6: Monitor campaign results
Watch bounces, spam complaints, reply rates, and provider dashboards after the change. SPF is one piece of deliverability, not a standalone success metric.
How to Read SPF Results in Email Headers
An SPF checker shows the DNS record from the outside. Email headers show what happened when a real message was evaluated by a receiving system. You need both views. The DNS record tells you what the domain publishes. The header result tells you whether a specific message passed, failed, aligned, or used an unexpected return-path.
Find the authentication-results header
Most mailbox providers add an `Authentication-Results` header to received messages. This header can include SPF, DKIM, and DMARC results. A simplified example might look like this:
Authentication-Results: mx.google.com;
spf=pass smtp.mailfrom=mail.example.com;
dkim=pass header.d=example.com;
dmarc=pass header.from=example.comIn that example, SPF passed for `mail.example.com`, DKIM passed for `example.com`, and DMARC passed for the visible From domain. That is the kind of result you want to see from a properly authenticated campaign.
Look for the smtp.mailfrom domain
The `smtp.mailfrom` value shows the domain SPF evaluated. If that domain is not the one you expected, the sending provider may be using its own return-path domain or a custom bounce domain. That does not automatically mean the setup is wrong, but it does mean you should verify DMARC alignment.
Example: SPF passes for the provider, not your domain
spf=pass smtp.mailfrom=bounces.vendor-example.net
dmarc=fail header.from=example.comThis can happen when the vendor is authorized for its own return-path domain, but your visible From domain does not align. The fix is usually to configure the provider's custom return-path, custom bounce domain, or DKIM signing for your domain.
Use headers to confirm real sending behavior
Do not rely only on what a vendor dashboard says. Send real test messages from each system: employee mailbox, marketing platform, transactional provider, CRM, support desk, and sales automation tool. Then inspect the headers. If the SPF result differs from what you expected, the DNS checker and the real header together will show where to investigate.
Provider-Specific SPF Troubleshooting
Most SPF issues are not caused by the SPF syntax itself. They happen because teams use multiple providers and each provider gives separate DNS instructions. The operational challenge is merging those instructions into one working record without authorizing old or irrelevant systems.
Google Workspace
If your company email runs on Google Workspace, the standard SPF include is usually `_spf.google.com`. Add it only once. If Google is your only sender, the record is simple. If Google is one of several senders, merge it into your existing SPF record.
Common Google Workspace issue
A common mistake is adding Google SPF to a domain that already has an SPF record for another platform, creating two records. Merge the includes instead of publishing a second `v=spf1` TXT record.
Microsoft 365
Microsoft 365 commonly uses `include:spf.protection.outlook.com`. Microsoft also warns that if you already have an SPF TXT record, you should add Microsoft 365 to the current record rather than creating another SPF record. This is why a checker is useful immediately after Microsoft 365 setup.
Common Microsoft 365 issue
Teams often move from Google to Microsoft or run both during a transition. During that period, SPF records can contain stale Google includes, missing Microsoft includes, or duplicate records. Keep the transition period documented and clean up the old provider when migration is complete.
Transactional email providers
Providers such as SendGrid, Mailgun, Postmark, Amazon SES, and similar services may use SPF, DKIM, custom return-path domains, or a mix of authentication records. Follow the provider's exact domain authentication flow. Do not assume every provider wants the same SPF pattern.
Common transactional issue
The app may send password resets or invoices from `noreply@example.com`, while marketing sends from a different tool. If transactional mail fails authentication, critical product emails can be affected. Test transactional headers separately from marketing campaign headers.
Sales engagement and cold outreach tools
Sales tools often send through connected Google or Microsoft mailboxes, but some also use tracking domains, bounce domains, or infrastructure-specific authentication. If the tool sends directly through the user's mailbox, SPF may depend on Google or Microsoft. If it sends through its own infrastructure, the tool may require additional DNS records.
Common outreach issue
Teams connect several mailboxes and assume authentication is solved because the accounts can send. Sending permission and domain authentication are different. Check SPF, DKIM, and DMARC before scaling volume.
Recommended SPF Records for Common Setups
There is no universal SPF record because every domain uses different senders. Still, these examples show common patterns. Always confirm current provider guidance before publishing.
Google Workspace only
v=spf1 include:_spf.google.com ~allThis authorizes Google Workspace. Google's setup docs should be the source of truth for exact current guidance.
Microsoft 365 only
v=spf1 include:spf.protection.outlook.com -allMicrosoft documents this pattern for Microsoft 365 domains. Use the Microsoft admin guidance for your specific setup.
Google Workspace plus a marketing platform
v=spf1 include:_spf.google.com include:example-sender.com ~allReplace `example-sender.com` with the exact include your marketing platform provides. Do not guess.
Dedicated sending subdomain
v=spf1 include:send.example-provider.com ~allDedicated sending subdomains can reduce risk and simplify SPF when a specific platform manages marketing or transactional sends separately from your employee mailbox domain.
Owned server plus SaaS provider
v=spf1 ip4:192.0.2.10 include:_spf.google.com ~allOnly authorize owned IPs that actually send mail. If you move infrastructure, update SPF.
SPF Checker Results: What to Do Next
A checker result should lead to an action. The table below turns common results into practical next steps.
| Checker Result | Risk | Next Step |
|---|---|---|
| No SPF record | Receivers cannot use SPF to authorize senders. | Create one SPF TXT record with legitimate sending sources. |
| Multiple SPF records | SPF can return permerror. | Merge into a single SPF record. |
| Too many lookups | SPF can fail even if sources are listed. | Remove unused includes and simplify mechanisms. |
| Missing provider | Mail from that provider may fail SPF. | Add the provider's official include or IP guidance. |
| Uses +all | Any sender can pass SPF. | Replace with `~all` or `-all` after auditing sources. |
| Record looks valid | SPF may be fine, but deliverability can still fail elsewhere. | Check DKIM, DMARC, bounces, reputation, and content. |
SPF and Cold Outreach
Cold outreach puts extra pressure on sender reputation because many recipients do not know the sender yet. SPF will not make cold email wanted, but missing or broken SPF can make a cold campaign look less trustworthy before content is even considered.
Use a real sending domain
Do not send serious campaigns from a domain with no website, unclear ownership, or brand mismatch. SPF is a technical signal, but recipients and filters also evaluate trust context.
Separate risky streams
Many teams use a dedicated outreach domain or subdomain to isolate cold outreach from critical customer communication. If you do this, configure SPF, DKIM, and DMARC for that domain too. Do not treat it as disposable infrastructure.
Verify lists before blaming SPF
If SPF passes but bounces are high, your list may be the real problem. Pair the SPF checker with BuffSend's Email Verifier and List Hygiene Checker before launching large sends.
Watch replies, not only authentication
SPF pass means a receiver can confirm that the sending server is authorized. It does not mean the recipient wants the email. Track replies, positive response rate, bounces, unsubscribes, and complaints.
SPF and DMARC Alignment
SPF is most powerful when it contributes to DMARC alignment. DMARC checks whether SPF or DKIM aligns with the visible From domain. If SPF passes for a return-path domain that does not align, DMARC may still rely on DKIM or fail.
Why SPF can pass while DMARC fails
A vendor may send with its own return-path domain. SPF passes for that vendor domain, but the visible From address is your domain. If the domains do not align and DKIM also does not align, DMARC can fail.
How to fix alignment problems
Use the provider's custom return-path or bounce-domain setup when available, configure DKIM signing for your domain, and publish a DMARC record. Then test real messages and inspect authentication results.
Do not use SPF as your only authentication layer
SPF has forwarding limitations because forwarded mail may come from a server not listed in the original sender's SPF record. DKIM often survives forwarding better because the message remains signed. This is one reason modern sender guidance emphasizes SPF, DKIM, and DMARC together.
How BuffSend Helps With SPF Issues
BuffSend gives teams a practical way to check deliverability basics before campaigns. The SPF Record Checker helps you inspect your domain's SPF record. The platform also includes DKIM, DMARC, spam-word, subject-line, preview, email verification, list hygiene, and send-time tools.
Use the SPF checker before sender setup
Before connecting a sender or launching a campaign, check the sending domain. If SPF is missing or broken, fix DNS first. A campaign tool cannot compensate for a domain that does not authorize the sender correctly.
Use it after adding a new email platform
If you add a CRM, marketing platform, sales automation tool, or transactional email provider, check SPF again. Vendor onboarding instructions can conflict with what is already in DNS.
Use it during deliverability troubleshooting
When open, reply, or delivery performance drops, check the technical foundation first. SPF, DKIM, DMARC, list quality, sending volume, and content should all be reviewed before assuming one issue explains everything.
SPF Fix Checklist
Use this checklist when a checker reports an SPF problem.
Discovery
- Identify the exact domain being checked.
- List every service that sends mail for that domain.
- Find the official SPF instructions for each active provider.
- Check whether any sending subdomains have separate DNS records.
Record cleanup
- Keep only one TXT record starting with `v=spf1` at the same DNS name.
- Remove providers that no longer send email.
- Merge active provider includes into one record.
- Avoid `+all`.
- Review lookup-heavy mechanisms.
Testing
- Wait for DNS propagation.
- Run the SPF checker again.
- Send test messages from every major sender.
- Inspect message headers for SPF, DKIM, and DMARC results.
- Monitor real campaign bounces and replies after launch.
FAQ: SPF Record Checker and SPF Fixes
What is an SPF record checker?
An SPF record checker is a tool that looks up a domain's DNS TXT records and checks whether a valid SPF record exists. It can help identify missing records, duplicate records, invalid syntax, and risky SPF patterns.
How many SPF records should a domain have?
A domain should normally have one SPF TXT record at a given DNS name. If there are multiple records starting with `v=spf1`, SPF evaluation can fail.
Should I use ~all or -all?
Use `~all` while you are still confirming every legitimate sender. Consider `-all` only when you are confident that all sending sources are authorized and tested.
Can SPF fix emails going to spam?
SPF can fix one authentication problem, but spam placement depends on many factors including DKIM, DMARC, sender reputation, list quality, engagement, complaint rate, sending behavior, and message content.
Why does SPF pass but DMARC fail?
SPF may pass for the return-path domain while failing alignment with the visible From domain. Configure custom return-path alignment or DKIM signing for your domain, then test DMARC results.
What happens if SPF has too many DNS lookups?
SPF can fail with a permanent error if evaluation exceeds the lookup limit. Remove unused includes, simplify mechanisms, and avoid lookup-heavy records.
Where should I add an SPF record?
Add the SPF TXT record at the DNS name used for the sending domain or return-path domain, depending on your mail provider's setup. Do not add it to `www` unless that exact subdomain is used for mail authentication.
Final Recommendation
Use an SPF record checker before campaign launches, after adding email vendors, and whenever deliverability changes unexpectedly. A healthy SPF record should be easy to explain: one TXT record, current authorized senders, no obsolete includes, no `+all`, no duplicate records, and no DNS lookup overload.
SPF will not solve every deliverability problem, but broken SPF can create unnecessary risk for every email you send. Fix it first, then check DKIM, DMARC, list quality, sending volume, and campaign relevance.
Start by checking your domain with BuffSend's free SPF Record Checker.
