Why is my SPF failing?

What causes SPF failure

SPF fails when the sending server's IP address is not listed in the domain's SPF record. The receiving server checks the envelope sender (MAIL FROM) against the domain's v=spf1 TXT record.

The most common causes of SPF failure are:

Unauthorised sender. A third-party service sends email on your behalf without being added to your SPF record.

Missing include. A sending provider's include mechanism is not present in your SPF record.

Email forwarding. The forwarding server's IP is not in your SPF record.

SPF permerror. The SPF record is invalid due to syntax errors, multiple records, or exceeding the DNS lookup limit.

SPF permerror explained

SPF permerror means the SPF record is permanently invalid and cannot be evaluated. Unlike a temporary DNS error, permerror is a configuration problem on the domain owner's side.

Receiving servers may treat SPF permerror as SPF failure and reject or spam-filter the message. DMARC alignment also fails when SPF returns permerror.

The most common permerror causes are multiple SPF records and exceeding the 10 DNS lookup limit.

Too many DNS lookups

SPF allows a maximum of 10 DNS lookups during evaluation. The terms that count toward this limit are include, a, mx, exists, and ptr mechanisms, plus the redirect= modifier.

Nested include chains also count. A single include may trigger several additional lookups inside the included domain's SPF record.

When the limit is exceeded, receiving servers return SPF permerror.

The ip4: and ip6: mechanisms do not count as DNS lookups and are not affected by the limit.

To reduce lookups, remove unused senders, replace include mechanisms with explicit ip4: ranges where practical, and audit third-party senders regularly.

Multiple SPF records

A domain must have exactly one SPF TXT record starting with v=spf1. If two or more v=spf1 records exist, receiving servers cannot determine which policy to apply and return SPF permerror.

Multiple SPF records are often created accidentally when adding a new email provider without merging it into the existing record.

The fix is to merge all include mechanisms and IP ranges into a single v=spf1 record and delete the duplicates.

SPF softfail vs hardfail

The all mechanism at the end of an SPF record defines how receivers should treat senders not listed in the record.

-all (hardfail) — senders not listed should fail SPF. This is the most strict setting and is recommended for production domains.

~all (softfail) — senders not listed should be marked as suspicious but not outright failed. Often used during setup or testing.

?all (neutral) — no policy is defined. Provides no protection.

+all (pass all) — allows any sender. This disables SPF protection entirely and should never be used.

Email forwarding and SPF

Email forwarding commonly breaks SPF. When a message is forwarded, the forwarding server delivers it using its own IP address, which is not listed in the original sender's SPF record.

Receiving servers check SPF against the current sending IP, so the forwarding server causes an SPF failure even though the original sender was legitimate.

DKIM does not have this problem because DKIM signatures are attached to the message and survive forwarding. This is why configuring both SPF and DKIM makes DMARC more resilient.

SPF passes but DMARC fails

SPF can pass at the envelope level while DMARC still fails. This happens when the MAIL FROM domain does not align with the visible From: header domain.

DMARC requires alignment: the authenticated domain must match the From: header domain. With relaxed alignment, an organisational domain match is sufficient. With strict alignment, an exact domain match is required.

If your third-party sender uses a MAIL FROM domain that does not match your From: domain, SPF passes but DMARC alignment fails. Ensure the sending service signs with DKIM using your From: domain to provide DMARC alignment independently of SPF.

How to fix SPF

Identify all servers sending email for your domain and ensure each is covered by an include: or ip4: mechanism in your SPF record.

Merge multiple SPF records into a single v=spf1 TXT record if more than one exists.

Count the total DNS lookups in your SPF record and reduce them below 10 by removing unused senders or replacing include mechanisms with explicit IP addresses.

Use -all or ~all at the end of the record. Avoid +all.

Configure DKIM signing alongside SPF so DMARC can pass even during forwarding scenarios.

How to check SPF

Use MXFend's SPF Checker to detect SPF failures, multiple records, dangerous all mechanisms, and excessive DNS lookups.

Run the MXFend Email Security Score for a complete audit covering SPF, DKIM, DMARC, blacklists, SMTP TLS, and more.