SPF record error
SPF record missing or invalid.
SPF problems happen at the sender authorization stage: the receiver checks whether the server that sent the message is allowed to send for the domain.
Failure stage
Message sent: the sending server reached a receiver.
Failed first: SPF lookup did not authorize that sending server.
Downstream risk: DMARC can fail if SPF does not align with the visible From domain.
SPF evidence matrix
| Evidence | Likely cause | First check |
|---|---|---|
No TXT record starts with v=spf1 | SPF is missing | Add one SPF record for the active sender. |
| Two or more SPF records exist | SPF permerror risk | Merge includes into one SPF TXT record. |
| Using Google and Brevo, but SPF includes only Google | Marketing SMTP not authorized | Add the sending provider include to the single SPF record. |
Bounce says 5.7.26 or unauthenticated email | SPF/DKIM/DMARC alignment failure | Check SPF and DKIM together before tightening DMARC. |
| SPF passes but mail still spammed | DKIM, DMARC, reputation, or content issue | Move to DKIM/DMARC evidence instead of adding more SPF records. |
SPF failure examples
| Current SPF clue | Failure model | Correction pattern |
|---|---|---|
No v=spf1 record | Receiver has no sender authorization policy | Create one SPF TXT record for the active sender. |
Two v=spf1 TXT records | Permanent SPF error risk | Merge includes into one record. |
| SPF includes old host only | New sender is not authorized | Remove stale include if unused; add current sender include. |
| Many includes from old campaigns | DNS lookup limit risk | Prune unused senders before adding another include. |
+all or overly broad policy | Domain allows too much sending | Use provider-specific includes and a controlled ending. |
Bad SPF pattern
TXT @ v=spf1 include:_spf.google.com ~all
TXT @ v=spf1 include:spf.protection.outlook.com ~allReceivers expect one SPF record. Multiple SPF records can turn a simple sender setup into a permanent SPF error.
Corrected SPF pattern
TXT @ v=spf1 include:_spf.google.com include:senders.example-provider.com ~allPattern to verify. Use only providers that actually send mail for the domain.
What this is not
- SPF does not decide where inbound mail is delivered; MX does that.
- SPF is not a DKIM signature; it authorizes sending servers.
- SPF alone does not guarantee inbox placement.
- Adding many includes can create DNS lookup-limit failures.
Do NOT do this
- Do not create a second SPF record to add another sender.
- Do not add every provider you have ever tested; authorize only active senders.
- Do not use SPF to fix inbound receiving problems caused by MX records.
- Do not move DMARC to
p=rejectjust because SPF exists; check alignment and DKIM first.