Help & Troubleshooting
SPF
What this is
SPF (Sender Policy Framework) is a TXT record listing the servers allowed to send email for your domain. Receivers check the connecting server against the list; combined with DMARC it stops others from forging your address.
How to read your result
One record starting v=spf1, mechanisms for each legitimate sending service, and a final all qualifier — ideally ~all or -all. Watch the DNS-lookup count: include/a/mx/exists mechanisms may total at most 10.
Common problems and how to fix them
More than 10 DNS lookups (permerror)
How it shows up: SPF evaluates as permanent error at receivers; authentication fails despite the record "looking right". Common after stacking several SaaS includes.
How to fix it: Remove includes for services you no longer use, replace a/mx with explicit ip4/ip6 where practical, or use the SPF flattening tool to resolve includes to raw IPs (then re-flatten periodically, since provider ranges change).
Legitimate mail fails because a sending service is missing
How it shows up: Mail from one tool (helpdesk, newsletter, CRM) goes to spam or bounces, while other mail is fine.
How to fix it: Add that provider's documented include (or IP ranges) to the existing record. Never create a second v=spf1 record — extend the one record.
Record ends with +all or ?all
How it shows up: Anyone anywhere passes SPF for your domain — spammers included; your domain's reputation erodes.
How to fix it: Tighten the policy: ~all (softfail) while validating your sender list, then -all once you are confident every legitimate source is included.
SPF correct but forwarded mail still fails
How it shows up: Mail routed through forwarders (mailing lists, university forwards) fails SPF at the final receiver.
How to fix it: This is inherent: forwarding breaks SPF because the forwarder's IP is not in your record. Deploy DKIM (which survives forwarding) plus DMARC, so messages authenticate via DKIM even when SPF fails.