SPF Record Troubleshooting Guide

Cloud Server for Email
cloudserverforemail.com · infrastructure@cloudserverforemail.com · +372 602 3545
EU-Based Infrastructure
Operating Since 2015
SPF Record Troubleshooting Guide
Diagnosing and Fixing SPF Failures in Email Infrastructure
Version 2026-04 · Cloud Server for Email

Quick Diagnosis

# Check your SPF record dig TXT yourdomain.com | grep spf # Test SPF from a specific IP # Tool: mxtoolbox.com/spf or kitterman.com/spf/validate.html # Check SPF result in email headers # Authentication-Results: ... spf=pass|fail|softfail|neutral|none

SPF Result Codes

ResultMeaningAction
passIP authorized by SPF record✓ No action needed
fail (-all)IP explicitly not authorizedAdd IP to SPF or use ~all instead
softfail (~all)IP not authorized but soft failureISPs may still deliver but mark as suspicious
neutral (?all)No policy statedAvoid — provides no protection
noneNo SPF record foundCreate SPF TXT record at domain root
permerrorSPF record syntax errorFix syntax; check for >10 DNS lookups
temperrorDNS lookup timeout during checkUsually transient; check DNS provider uptime

The 10 DNS Lookup Limit

SPF allows a maximum of 10 DNS lookups (mechanisms that require DNS: a, mx, include, exists, redirect, ptr). Exceeding this produces permerror.

# Count your DNS lookups manually or use a tool # Each "include:" = 1 lookup (plus whatever lookups that record includes) # Use: mxtoolbox.com/spflookup to count # Common offenders: # include:_spf.google.com (1 lookup → expands to 3-4) # include:sendgrid.net (1 lookup → expands to 3+) # include:mailchimp.com (1 lookup → expands to 4+) # Solution: use SPF flattening tools or move ESPs to subdomains

SPF Alignment (for DMARC)

DMARC requires SPF alignment: the domain in the MAIL FROM (Return-Path) must match the From: domain (strict) or be a subdomain of it (relaxed).

From:Return-Path:Strict (adkim=s)Relaxed (adkim=r)
you@yourdomain.combounce@yourdomain.comPASSPASS
you@yourdomain.combounce@mail.yourdomain.comFAILPASS
you@yourdomain.combounce@otherdomain.comFAILFAIL

Common SPF Record Examples

# Basic: just your sending IPs v=spf1 ip4:203.0.113.1 ip4:203.0.113.2 ~all # With third-party senders v=spf1 ip4:203.0.113.1 include:_spf.google.com include:sendgrid.net ~all # For ESP-only sending (no own IP) v=spf1 include:sendgrid.net ~all # With IPv6 v=spf1 ip4:203.0.113.1 ip6:2001:db8::/32 ~all
Never use +all — this authorizes ANY server to send on your behalf, effectively disabling SPF protection.
If you're sending from multiple platforms, consider creating separate sending subdomains for each (mail.yourdomain.com for MailWizz, transact.yourdomain.com for API sends) to keep each subdomain's SPF record under the 10-lookup limit.