high6 min readLast updated May 22, 2026

SPF Records: What They Are and How to Fix Them

SPF tells receiving mail servers which servers are allowed to send email for your domain. Learn softfail vs hardfail and fix common SPF mistakes.

What is SPF?

SPF (Sender Policy Framework) is a DNS TXT record that lists all the mail servers authorised to send email on behalf of your domain. When a receiving mail server gets an email from your domain, it checks your SPF record to verify the sending server is on the approved list.

SPF works alongside DKIM and DMARC to form a complete email authentication stack.

SPF policies explained

The most important part of your SPF record is the ending, called the qualifier:

Qualifier Meaning Risk
-all Hardfail -- reject email from unlisted servers Best
~all Softfail -- accept but mark as suspicious Acceptable
?all Neutral -- no policy Poor
+all Pass everything -- allows anyone to send Never use

Most organisations use ~all (softfail) when they should use -all (hardfail).

Softfail means that even if an attacker sends spoofed email from your domain, receiving servers will accept it (just mark it as suspicious). Hardfail causes it to be rejected outright.

How to check your current SPF record

Run this command (replace yourdomain.com with your domain):

dig TXT yourdomain.com | grep spf

Or use MXToolbox SPF Lookup.

A typical SPF record looks like:

v=spf1 include:_spf.hostinger.com include:sendgrid.net ~all

How to fix softfail to hardfail

  1. First, make sure ALL services that send email for your domain are listed in your SPF record
  2. Check your email logs for any legitimate sending sources you might have missed
  3. Once you are confident the list is complete, change ~all to -all

Before changing to -all, check:

  • Your main mail server
  • Any newsletter services (Mailchimp, SendGrid, etc.)
  • Any CRM or ticketing tools that send email
  • Any automated systems (monitoring alerts, invoices, etc.)

Common SPF mistakes

Multiple SPF records

You can only have ONE SPF record per domain. Having two causes failures. Merge them into a single record.

Wrong:

v=spf1 include:mailprovider.com ~all
v=spf1 include:newsletter.com ~all

Correct:

v=spf1 include:mailprovider.com include:newsletter.com ~all

Too many DNS lookups

SPF allows a maximum of 10 DNS lookups. Each include: counts as one. If you exceed 10, SPF will fail with a permerror. Use tools like dmarcian SPF Surveyor to count your lookups.

Forgetting subdomains

Your SPF record on yourdomain.com does not automatically apply to mail.yourdomain.com or other subdomains. Each subdomain that sends email needs its own SPF record.

What to do next

Once SPF is configured correctly:

  1. Set up DKIM -- adds a cryptographic signature to your emails
  2. Configure DMARC -- ties SPF and DKIM together with an enforcement policy

How SurfaceScan helps

SurfaceScan checks SPF for every root domain in your scope. It reports missing SPF records, softfail configurations, and invalid syntax as findings in the Email Security section.

Related articles

DMARC Policy: From None to Quarantine to Reject

DMARC ties SPF and DKIM together. Learn the three policy levels (none, quarantine, reject) and how to implement DMARC safely without breaking email.

How to Set Up DKIM for Your Domain

DKIM prevents email spoofing by adding a cryptographic signature to outgoing emails. Step-by-step setup guide for common email providers.

← Back to Help Center