Creating a Valid SPF Record: Common Syntax Mistakes
Learn how to create a valid SPF record, avoid duplicate SPF records, fix syntax mistakes, and stay within SPF DNS lookup limits.
Introduction
An SPF record must be written in the correct format for receiving mail servers to understand it. A small mistake, such as publishing two SPF records, using the wrong include value, or exceeding the DNS lookup limit, can cause SPF validation to fail.
This guide focuses on common SPF syntax mistakes and how to avoid them. If you are new to SPF, start with the SPF basics guide first, then use this page to validate and clean up your SPF record.
Quick answer
A valid SPF record is a DNS TXT record that starts with v=spf1, includes only the real services allowed to send email for the domain, and ends with a policy such as ~all or -all. A domain should normally have only one SPF record, and the record must stay within SPF’s 10 DNS lookup limit.
What a valid SPF record looks like
A valid SPF record is published as a TXT record in DNS. It begins with v=spf1, lists authorized senders using mechanisms such as include, ip4, ip6, a or mx, and ends with an all mechanism.
v=spf1 include:_spf.google.com ip4:192.0.2.10 ~all
This example allows Google’s SPF include and one IPv4 address, then applies a soft fail to other senders.
This is only an example. Your SPF record must match the real services that send email for your domain.
SPF syntax rules
Start with v=spf1
Every SPF record must begin with v=spf1.
Use one SPF record
A domain should normally publish only one SPF TXT record.
Use valid mechanisms
Common mechanisms include include, ip4, ip6, a, mx, exists and redirect.
Use correct provider values
Provider includes must match the exact value from the email service.
End with an all policy
Most SPF records end with ~all, -all, ?all or +all.
Stay within lookup limits
SPF evaluation must not exceed the 10 DNS lookup limit.
Do not create multiple SPF records for multiple providers. Merge providers into one record.
Valid SPF examples
v=spf1 include:_spf.google.com ~all
v=spf1 include:spf.protection.outlook.com ~all
v=spf1 ip4:192.0.2.10 ~all
v=spf1 include:_spf.google.com include:mailservice.example ~all
v=spf1 include:mailservice.example ~all
These examples are illustrative. Use the exact SPF values from your email, hosting, CRM, marketing or transactional email provider.
Common syntax mistakes
Missing v=spf1
HighThe TXT record does not start with v=spf1, so it is not recognized as SPF.
Next step: Start the SPF TXT value with v=spf1.
Multiple SPF records
HighPublishing more than one SPF record can cause SPF validation to fail.
Next step: Merge all authorized senders into one SPF record.
Wrong include value
HighThe include mechanism references a wrong or outdated provider hostname.
Next step: Copy the official SPF include from your provider documentation.
Missing space between mechanisms
MediumSPF mechanisms must be separated by spaces.
Next step: Use spaces between mechanisms, for example include:_spf.google.com ~all.
Invalid IP syntax
Mediumip4 or ip6 values are malformed or use the wrong IP version.
Next step: Use ip4 for IPv4 addresses and ip6 for IPv6 addresses.
Too many DNS lookups
MediumToo many include, a, mx, redirect or exists mechanisms can exceed the SPF lookup limit.
Next step: Remove unused providers or simplify the SPF record.
Using +all
High+all allows any sender and usually defeats the purpose of SPF.
Next step: Use ~all while testing or -all only after confirming all senders are included.
SPF added at the wrong hostname
MediumThe SPF record was added to the wrong domain or subdomain.
Next step: Publish SPF where the envelope sender / Return-Path domain needs it.
Why this matters
SPF syntax matters because receivers must parse the record exactly. If the record is malformed, duplicated or too complex, SPF can return errors instead of a clean pass or fail result. This can hurt email authentication and make deliverability troubleshooting harder.
A syntactically valid SPF record is not automatically a complete email setup. DKIM and DMARC should also be configured.
How to validate SPF
Use the SPF Checker to inspect SPF syntax, mechanisms, DNS lookup count and policy.
When validating SPF, check
These six checks help confirm whether your SPF record is valid.
Record exists
Confirm the domain publishes an SPF TXT record.
Record starts correctly
The value should begin with v=spf1.
Only one SPF record exists
Multiple SPF records should be merged.
Mechanisms are valid
Check include, ip4, ip6, a, mx, redirect and exists syntax.
Lookup count is safe
Confirm SPF does not exceed the 10 DNS lookup limit.
Final policy is appropriate
Review whether ~all or -all fits the current setup.
Validate SPF now
Use SPF Checker to find syntax mistakes, duplicate records and lookup-limit issues.
Common SPF problems
Duplicate SPF TXT records
HighThe domain publishes more than one SPF record.
Next step: Merge all allowed senders into one SPF TXT record.
SPF record missing final policy
MediumThe record does not clearly define how unlisted senders should be handled.
Next step: Add a final mechanism such as ~all or -all.
SPF exceeds 10 DNS lookups
MediumSPF evaluation may fail because too many DNS lookups are required.
Next step: Remove unused includes or use a provider-recommended SPF structure.
Provider include is outdated
MediumThe record includes an old provider that no longer sends email.
Next step: Remove old includes after confirming they are unused.
Required provider is missing
HighA real sender such as CRM, website form or transactional email service is not included.
Next step: Add the provider’s official include or IP range.
SPF uses +all
High+all permits all senders and weakens SPF protection.
Next step: Replace with ~all or -all depending on confidence level.
SPF published as the wrong record type
MediumSPF should be published as TXT, not as the old SPF DNS record type.
Next step: Publish SPF as a TXT record.
How to create a valid SPF record
-
Step 1: List every service that sends email
Include mailbox provider, hosting server, website forms, CRM, billing system, marketing platform and transactional email service.
-
Step 2: Collect official SPF values
Use each provider’s official SPF include or IP range. Do not guess.
-
Step 3: Build one SPF TXT record
Combine all authorized senders into one SPF record beginning with v=spf1.
-
Step 4: Choose a safe policy
Use ~all while testing or when unsure. Use -all only when all legitimate senders are confirmed.
-
Step 5: Publish at the correct hostname
Add SPF as a TXT record at the domain or subdomain used for sending.
-
Step 6: Validate the record
Run SPF Checker to confirm syntax, duplicate records and lookup count.
-
Step 7: Review periodically
Remove old providers and add new senders when email services change.
SPF syntax examples
v=spf1 include:_spf.google.com ip4:192.0.2.10 ~all
include:_spf.google.com ~all
v=spf1 include:_spf.google.com ~all
v=spf1 include:spf.protection.outlook.com ~all
v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all
v=spf1 +all
dig example.com TXT
dig +short example.com TXT
Do not copy example records directly. Your valid SPF record depends on the real services that send mail for your domain.
Choosing ~all or -all
The final all mechanism tells receivers how to treat senders that are not listed in the SPF record.
~all
Soft fail. Common while testing or when some senders may still be unknown.
-all
Hard fail. Best used only when all legitimate senders are known and included.
?all
Neutral. Usually weak because it gives receivers little guidance.
+all
Pass all senders. Usually not recommended.
For many domains, ~all is safer during setup. Move to -all only after confirming all legitimate senders are included and DMARC alignment is understood.
SPF lookup limit
SPF has a limit of 10 DNS lookups during evaluation. Mechanisms such as include, a, mx, exists and redirect can count toward this limit.
If the limit is exceeded, SPF can fail with a permanent error.
- Remove old providers
- Avoid unnecessary a and mx mechanisms
- Use provider-recommended includes
- Avoid stacking too many third-party services
- Check lookup count after every change
Frequently asked questions
What makes an SPF record valid?
It must start with v=spf1, use valid mechanisms, be published as TXT, avoid duplicates and stay within SPF lookup limits.
Can I have more than one SPF record?
No. A domain should normally have only one SPF record. Merge multiple providers into one record.
Should SPF be TXT or SPF record type?
Use TXT. The old SPF DNS record type is not the normal modern way to publish SPF.
Is ~all or -all better?
~all is safer while testing. -all is stricter and should be used only when all senders are known and included.
Why does my SPF record fail?
Common causes include duplicate SPF records, missing providers, syntax errors, too many DNS lookups or SPF published at the wrong hostname.
Does a valid SPF record guarantee inbox delivery?
No. SPF is one authentication signal. DKIM, DMARC, reputation, content and provider filtering also matter.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Email Authentication guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!