Creating a Valid SPF Record: Common Syntax Mistakes

Learn how to create a valid SPF record, avoid duplicate SPF records, fix syntax mistakes, and stay within SPF DNS lookup limits.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 7 min read Beginner

Introduction

An SPF record must be written in the correct format for receiving mail servers to understand it. A small mistake, such as publishing two SPF records, using the wrong include value, or exceeding the DNS lookup limit, can cause SPF validation to fail.

This guide focuses on common SPF syntax mistakes and how to avoid them. If you are new to SPF, start with the SPF basics guide first, then use this page to validate and clean up your SPF record.

Quick answer

Quick answer

A valid SPF record is a DNS TXT record that starts with v=spf1, includes only the real services allowed to send email for the domain, and ends with a policy such as ~all or -all. A domain should normally have only one SPF record, and the record must stay within SPF’s 10 DNS lookup limit.

What a valid SPF record looks like

A valid SPF record is published as a TXT record in DNS. It begins with v=spf1, lists authorized senders using mechanisms such as include, ip4, ip6, a or mx, and ends with an all mechanism.

Example
v=spf1 include:_spf.google.com ip4:192.0.2.10 ~all

This example allows Google’s SPF include and one IPv4 address, then applies a soft fail to other senders.

This is only an example. Your SPF record must match the real services that send email for your domain.

SPF syntax rules

Start with v=spf1

Every SPF record must begin with v=spf1.

Use one SPF record

A domain should normally publish only one SPF TXT record.

Use valid mechanisms

Common mechanisms include include, ip4, ip6, a, mx, exists and redirect.

Use correct provider values

Provider includes must match the exact value from the email service.

End with an all policy

Most SPF records end with ~all, -all, ?all or +all.

Stay within lookup limits

SPF evaluation must not exceed the 10 DNS lookup limit.

Do not create multiple SPF records for multiple providers. Merge providers into one record.

Valid SPF examples

Google Workspace only
v=spf1 include:_spf.google.com ~all
Microsoft 365 only
v=spf1 include:spf.protection.outlook.com ~all
Single sending IP
v=spf1 ip4:192.0.2.10 ~all
Google Workspace plus transactional mail
v=spf1 include:_spf.google.com include:mailservice.example ~all
Subdomain sending mail
v=spf1 include:mailservice.example ~all

These examples are illustrative. Use the exact SPF values from your email, hosting, CRM, marketing or transactional email provider.

Common syntax mistakes

Missing v=spf1

High

The TXT record does not start with v=spf1, so it is not recognized as SPF.

Next step: Start the SPF TXT value with v=spf1.

Multiple SPF records

High

Publishing more than one SPF record can cause SPF validation to fail.

Next step: Merge all authorized senders into one SPF record.

Wrong include value

High

The include mechanism references a wrong or outdated provider hostname.

Next step: Copy the official SPF include from your provider documentation.

Missing space between mechanisms

Medium

SPF mechanisms must be separated by spaces.

Next step: Use spaces between mechanisms, for example include:_spf.google.com ~all.

Invalid IP syntax

Medium

ip4 or ip6 values are malformed or use the wrong IP version.

Next step: Use ip4 for IPv4 addresses and ip6 for IPv6 addresses.

Too many DNS lookups

Medium

Too many include, a, mx, redirect or exists mechanisms can exceed the SPF lookup limit.

Next step: Remove unused providers or simplify the SPF record.

Using +all

High

+all allows any sender and usually defeats the purpose of SPF.

Next step: Use ~all while testing or -all only after confirming all senders are included.

SPF added at the wrong hostname

Medium

The SPF record was added to the wrong domain or subdomain.

Next step: Publish SPF where the envelope sender / Return-Path domain needs it.

Why this matters

Why this matters

SPF syntax matters because receivers must parse the record exactly. If the record is malformed, duplicated or too complex, SPF can return errors instead of a clean pass or fail result. This can hurt email authentication and make deliverability troubleshooting harder.

A syntactically valid SPF record is not automatically a complete email setup. DKIM and DMARC should also be configured.

How to validate SPF

Use the SPF Checker to inspect SPF syntax, mechanisms, DNS lookup count and policy.

When validating SPF, check

These six checks help confirm whether your SPF record is valid.

Record exists

Confirm the domain publishes an SPF TXT record.

Record starts correctly

The value should begin with v=spf1.

Only one SPF record exists

Multiple SPF records should be merged.

Mechanisms are valid

Check include, ip4, ip6, a, mx, redirect and exists syntax.

Lookup count is safe

Confirm SPF does not exceed the 10 DNS lookup limit.

Final policy is appropriate

Review whether ~all or -all fits the current setup.

Validate SPF now

Use SPF Checker to find syntax mistakes, duplicate records and lookup-limit issues.

Run SPF Check →

Common SPF problems

Duplicate SPF TXT records

High

The domain publishes more than one SPF record.

Next step: Merge all allowed senders into one SPF TXT record.

SPF record missing final policy

Medium

The record does not clearly define how unlisted senders should be handled.

Next step: Add a final mechanism such as ~all or -all.

SPF exceeds 10 DNS lookups

Medium

SPF evaluation may fail because too many DNS lookups are required.

Next step: Remove unused includes or use a provider-recommended SPF structure.

Provider include is outdated

Medium

The record includes an old provider that no longer sends email.

Next step: Remove old includes after confirming they are unused.

Required provider is missing

High

A real sender such as CRM, website form or transactional email service is not included.

Next step: Add the provider’s official include or IP range.

SPF uses +all

High

+all permits all senders and weakens SPF protection.

Next step: Replace with ~all or -all depending on confidence level.

SPF published as the wrong record type

Medium

SPF should be published as TXT, not as the old SPF DNS record type.

Next step: Publish SPF as a TXT record.

How to create a valid SPF record

  1. Step 1: List every service that sends email

    Include mailbox provider, hosting server, website forms, CRM, billing system, marketing platform and transactional email service.

  2. Step 2: Collect official SPF values

    Use each provider’s official SPF include or IP range. Do not guess.

  3. Step 3: Build one SPF TXT record

    Combine all authorized senders into one SPF record beginning with v=spf1.

  4. Step 4: Choose a safe policy

    Use ~all while testing or when unsure. Use -all only when all legitimate senders are confirmed.

  5. Step 5: Publish at the correct hostname

    Add SPF as a TXT record at the domain or subdomain used for sending.

  6. Step 6: Validate the record

    Run SPF Checker to confirm syntax, duplicate records and lookup count.

  7. Step 7: Review periodically

    Remove old providers and add new senders when email services change.

SPF syntax examples

Valid SPF
v=spf1 include:_spf.google.com ip4:192.0.2.10 ~all
Invalid: missing v=spf1
include:_spf.google.com ~all
Invalid: duplicate SPF records
v=spf1 include:_spf.google.com ~all
v=spf1 include:spf.protection.outlook.com ~all
Fixed merged record
v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all
Invalid: allows everyone
v=spf1 +all
Check commands
dig example.com TXT
dig +short example.com TXT

Do not copy example records directly. Your valid SPF record depends on the real services that send mail for your domain.

Choosing ~all or -all

The final all mechanism tells receivers how to treat senders that are not listed in the SPF record.

~all

Soft fail. Common while testing or when some senders may still be unknown.

-all

Hard fail. Best used only when all legitimate senders are known and included.

?all

Neutral. Usually weak because it gives receivers little guidance.

+all

Pass all senders. Usually not recommended.

For many domains, ~all is safer during setup. Move to -all only after confirming all legitimate senders are included and DMARC alignment is understood.

SPF lookup limit

SPF has a limit of 10 DNS lookups during evaluation. Mechanisms such as include, a, mx, exists and redirect can count toward this limit.

If the limit is exceeded, SPF can fail with a permanent error.

  • Remove old providers
  • Avoid unnecessary a and mx mechanisms
  • Use provider-recommended includes
  • Avoid stacking too many third-party services
  • Check lookup count after every change

Frequently asked questions

What makes an SPF record valid?

It must start with v=spf1, use valid mechanisms, be published as TXT, avoid duplicates and stay within SPF lookup limits.

Can I have more than one SPF record?

No. A domain should normally have only one SPF record. Merge multiple providers into one record.

Should SPF be TXT or SPF record type?

Use TXT. The old SPF DNS record type is not the normal modern way to publish SPF.

Is ~all or -all better?

~all is safer while testing. -all is stricter and should be used only when all senders are known and included.

Why does my SPF record fail?

Common causes include duplicate SPF records, missing providers, syntax errors, too many DNS lookups or SPF published at the wrong hostname.

Does a valid SPF record guarantee inbox delivery?

No. SPF is one authentication signal. DKIM, DMARC, reputation, content and provider filtering also matter.

Use these free tools to verify your configuration after applying changes.

Browse all Email Authentication guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.