SPF Record Troubleshooting: Fixing the 10 Most Common Errors

Why SPF Records Break

SPF records seem simple at first glance, but they have strict rules and limits that are easy to violate — especially as your organization grows and adds new sending services. A broken SPF record can cause legitimate email to fail authentication and land in spam, or even be rejected entirely.

Here are the most common SPF errors and exactly how to fix them.

Error 1: Too Many DNS Lookups (PermError)

What it is: SPF enforces a hard limit of 10 DNS lookups per evaluation. Mechanisms like include, a, and mx each consume one or more lookups. Exceeding 10 results in a PermError, causing SPF to fail.

How to fix it:

• Audit your SPF record using an SPF lookup counter tool
• Replace include statements with direct ip4/ip6 mechanisms where possible
• Consider an SPF flattening service that automatically resolves and inlines IP addresses
• Remove sending services you no longer use

Error 2: Multiple SPF Records on One Domain

What it is: Publishing two or more TXT records starting with v=spf1 on the same domain results in a PermError. Receiving servers won't know which one to use.

How to fix it: Merge all SPF content into a single TXT record. For example, combine v=spf1 include:a.com ~all and v=spf1 include:b.com ~all into v=spf1 include:a.com include:b.com ~all.

Error 3: Missing or Incorrect "all" Mechanism

What it is: An SPF record without an all mechanism at the end leaves the policy undefined for unlisted senders — undermining the point of having SPF.

How to fix it: Always end your SPF record with one of these:

• -all — Hard fail (recommended for strict environments)
• ~all — Soft fail (recommended for most setups)
• Avoid +all which authorizes everyone and renders SPF useless

Error 4: Forgetting a Sending Service

What it is: Adding a new ESP (email service provider) like Mailchimp or HubSpot without updating your SPF record causes their sends to fail authentication.

How to fix it: Maintain a list of all services that send email on your domain's behalf. When onboarding a new service, add their required include or IP range to your SPF record immediately.

Error 5: Using PTR Mechanisms

What it is: The ptr mechanism was deprecated in SPF because it requires reverse DNS lookups that are slow, unreliable, and consume lookup budget.

How to fix it: Replace any ptr mechanisms with the equivalent ip4, ip6, or include mechanisms.

Error 6: IP Address Typos

What it is: A single character error in an IP address or CIDR range (e.g., ip4:192.168.1.0/24 when the sending IP is 192.168.2.0/24) will silently cause authentication failures.

How to fix it: Cross-reference your SPF record's IPs against the actual sending IPs shown in email headers. Use the Received-SPF header in a test email to see exactly which IP was evaluated.

Error 7: Subdomain Not Covered

What it is: SPF records do not automatically apply to subdomains. If you send from mail.example.com or newsletter.example.com, each needs its own SPF record.

How to fix it: Publish separate SPF TXT records at each subdomain used for sending email.

Error 8: Record Too Long

What it is: DNS TXT records have a 255-character limit per string, though multiple strings can be concatenated. Some DNS providers handle this automatically; others don't.

How to fix it: If your SPF record exceeds 255 characters, split it into multiple quoted strings within the same TXT record. Most modern DNS UIs handle this transparently.

Error 9: Using "redirect" Without Removing "all"

What it is: The redirect modifier delegates SPF policy to another domain. However, if an all mechanism appears in the same record, it takes precedence and the redirect is ignored.

How to fix it: When using redirect=, remove the all mechanism from the record entirely.

Error 10: Not Testing After Changes

What it is: Making changes to SPF without validating the updated record is the most preventable mistake.

How to fix it: After every change, use an SPF validation tool to check for syntax errors, lookup counts, and coverage. Send a test email and inspect the Authentication-Results header to confirm the result is spf=pass.

Quick Reference: SPF Diagnostic Checklist

1. Only one TXT record with v=spf1 exists on the domain
2. Total DNS lookup count is 10 or fewer
3. All sending services are listed
4. Record ends with -all or ~all
5. No PTR mechanisms are present
6. All IP addresses are correct and current
7. Subdomains have their own SPF records if needed
8. Tested and confirmed with an SPF checker tool