Troubleshooting Guides

Fixing "SPF Fail: Domain Does Not Designate Permitted Sender"

Fix SPF fail domain not permitted by identifying the real sender, correcting SPF includes, removing duplicate SPF records and testing authentication.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 9 min read Intermediate

Introduction

The error "SPF Fail: Domain Does Not Designate Permitted Sender" means the mail server that delivered the message is not authorized in the SPF record for the domain being checked. Receiving mail servers compare the sending IP against the SPF TXT record published in DNS. If the IP is not listed, SPF returns fail.

This error is common after adding a new email provider, switching hosting, enabling a contact form plugin, or sending through a third-party SMTP service without updating DNS. The fix is to identify which server actually sent the mail, then update your SPF record so that source is included.

Quick answer

Quick answer

SPF fail means the sending server IP is not authorized in the SPF record for the Return-Path domain. Check message headers for the Return-Path and sending IP, review your live SPF TXT record, add the missing include or ip4 mechanism for your mail provider or SMTP service, merge multiple SPF records into one, and verify with SPF Checker before sending another test.

What SPF fail domain not permitted means

When a receiving server checks SPF, it looks at the domain in the envelope sender — also called the Return-Path or MAIL FROM address. It fetches the SPF TXT record for that domain and checks whether the connecting IP address is permitted. A fail result means the IP is not authorized.

Common reasons SPF returns fail:

  • the sending IP is not listed in the SPF record
  • the wrong include mechanism is used for your provider
  • a new SMTP provider was added but SPF was not updated
  • multiple SPF records exist on the same domain
  • SPF exceeds the 10 DNS lookup limit (PermError, treated as fail)
  • a WordPress or contact form plugin sends through hosting SMTP not in SPF
  • a third-party CRM, newsletter or transactional service is missing from SPF
  • shared hosting sends mail but only Google Workspace is authorized
  • SPF passes for one domain but DMARC alignment fails on the From domain

SPF and DMARC work together but check different things. SPF validates the Return-Path domain against the sending IP. DMARC checks whether SPF or DKIM aligns with the visible From address and applies your policy. Fixing SPF alone may not fix DMARC if alignment is wrong.

Example SPF with multiple providers
v=spf1 include:_spf.google.com include:sendgrid.net ~all

Copy include values directly from your email provider documentation. A typo in an include hostname is one of the most common causes of SPF fail.

Do not create a second SPF TXT record when adding a provider. Edit the existing record and merge all sending sources into one v=spf1 record.

Why this matters

Why this matters

SPF fail reduces trust with receiving mail servers. Messages may be rejected, quarantined or routed to spam. If DMARC is enforced, SPF fail can cause DMARC fail and stronger delivery penalties. Fixing SPF protects legitimate mail from your domain and improves overall email authentication.

Unauthorized senders that pass without SPF checks can also damage your domain reputation. A correct SPF record tells receivers which servers are allowed to send on your behalf.

How to check

Start by finding the actual sending server and comparing it to your published SPF record.

  1. Send a test email to a mailbox you control (Gmail, Outlook or similar).
  2. Open the message headers and find the Return-Path / envelope sender domain.
  3. Note the sending IP address from Received headers.
  4. Run SPF Checker on the Return-Path domain to see the live SPF record.
  5. Confirm the sending provider’s include mechanism appears in SPF.
  6. Check for multiple SPF TXT records on the same domain.
  7. Review SPF lookup count — more than 10 nested lookups causes PermError.
  8. Check whether a WordPress plugin, contact form or CRM sends through a different SMTP server.
  9. Review DMARC alignment — SPF may pass on Return-Path but fail DMARC on the From domain.
  10. Re-run SPF Checker after any DNS change and allow time for propagation.

Check your SPF record

Use SPF Checker to see your live TXT record, included mechanisms, lookup count and whether your sending sources are authorized.

Run SPF Check →

Common problems

Sending IP not in SPF record

High

The mail server IP that delivered the message is not authorized in the domain’s SPF TXT record.

Next step: Add the provider’s include mechanism or the server’s ip4 address to your SPF record.

Wrong include for email provider

High

SPF includes a mechanism for the wrong service — for example Google when mail is sent through SendGrid.

Next step: Replace or add the correct include from your provider’s DNS setup guide.

New SMTP provider not added to SPF

High

A transactional email service, CRM or newsletter tool was connected but SPF was not updated.

Next step: Add the new provider’s include to your existing SPF record.

Multiple SPF records on one domain

High

More than one v=spf1 TXT record exists. Receivers may treat this as invalid.

Next step: Delete duplicate records and merge all senders into a single SPF TXT record.

SPF DNS lookup limit exceeded

High

Nested includes push SPF past the 10 DNS lookup limit, causing PermError.

Next step: Flatten includes or use your provider’s recommended single-include SPF template.

WordPress or contact form uses unlisted SMTP

Medium

The website sends through hosting PHP mail or local SMTP not authorized in SPF.

Next step: Route forms through an authenticated SMTP provider and add that provider to SPF.

Shared hosting sends but SPF only covers workspace mail

Medium

MX points to Google Workspace but the hosting server also sends form notifications.

Next step: Include both the workspace provider and the hosting mail server, or send forms through the workspace SMTP.

Return-Path domain differs from From domain

Medium

SPF is checked on the Return-Path domain, which may not match the visible From address.

Next step: Configure your provider to use a Return-Path on your domain and ensure SPF is published there.

SPF record missing entirely

High

No SPF TXT record is published, so receivers return none or fail depending on policy.

Next step: Create a starter SPF record that includes your primary mail provider.

SPF passes but DMARC still fails

Medium

SPF authenticates the Return-Path domain but it does not align with the From domain under DMARC.

Next step: Fix Return-Path alignment in your provider settings and review the DMARC alignment guide.

How to fix

  1. Step 1: Find the sending server

    Send a test message and read headers to identify the Return-Path domain and sending IP address.

  2. Step 2: Check the live SPF record

    Run SPF Checker on the Return-Path domain and note existing includes, ip4 entries and lookup count.

  3. Step 3: List all sending sources

    Document every service that sends mail: workspace, hosting, CRM, forms, newsletters and transactional providers.

  4. Step 4: Add the missing include or IP

    Edit your single SPF TXT record to include the provider mechanism. Do not create a second SPF record.

  5. Step 5: Fix contact form and plugin SMTP

    Configure WordPress and contact forms to send through an authorized SMTP provider instead of unauthenticated PHP mail.

  6. Step 6: Resolve lookup limit issues

    If lookup count exceeds 10, flatten nested includes or switch to your provider’s consolidated SPF value.

  7. Step 7: Verify and test

    Wait for DNS propagation, re-run SPF Checker, then send another test and confirm SPF pass in message headers.

  8. Step 8: Monitor DMARC reports

    After SPF passes consistently, review DMARC aggregate reports to confirm alignment before tightening policy.

Examples

SPF fail troubleshooting example
Problem:
SPF Fail: example.com does not designate permitted sender

Headers show:
Return-Path: bounce@example.com
Sending IP: 198.51.100.42

Live SPF record:
v=spf1 include:_spf.google.com ~all

Cause:
Mail was sent through SendGrid (198.51.100.42),
but SPF only authorizes Google Workspace.

Fix:
v=spf1 include:_spf.google.com include:sendgrid.net ~all

Verify:
Run SPF Checker  confirm SendGrid include resolves.
Send test  headers show spf=pass.

Examples are illustrative. Replace provider includes, IP addresses and domains with values from your real DNS panel and email provider documentation.

Frequently asked questions

What does "SPF fail: domain does not designate permitted sender" mean?

The mail server that sent the message is not listed in the SPF record for the Return-Path domain. Receiving servers treat the sender as unauthorized.

Is SPF checked against the From address?

No. SPF is checked against the envelope sender / Return-Path domain. DMARC connects SPF results to the visible From domain through alignment.

Can I have more than one SPF record?

No. A domain should publish only one SPF TXT record. Multiple SPF records cause validation errors — merge all senders into a single record.

Why does SPF fail after I add a new email provider?

The new provider is not yet included in your SPF record, or you created a second SPF record instead of updating the existing one.

Can WordPress contact forms cause SPF fail?

Yes. If the form sends through your hosting server but SPF only authorizes Google Workspace or Microsoft 365, SPF will fail for those messages.

Does SPF fail always mean mail is rejected?

Not always. Some receivers quarantine or spam-folder mail with SPF fail. Others may still accept it depending on DKIM, DMARC, reputation and policy.

Should I fix SPF before DMARC?

Yes. SPF and DKIM should pass for legitimate mail before you enforce a strict DMARC policy. Fix SPF first, then monitor DMARC reports.

Use these free tools to verify your configuration after applying changes.

Browse all Troubleshooting guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.