Cloud Server for Email
cloudserverforemail.com · infrastructure@cloudserverforemail.com · +372 602 3545
EU-Based Infrastructure
Operating Since 2015
Operating Since 2015
SPF Record Troubleshooting Guide
Diagnosing and Fixing SPF Failures in Email Infrastructure
Version 2026-04 · Cloud Server for Email
Quick Diagnosis
# Check your SPF record
dig TXT yourdomain.com | grep spf
# Test SPF from a specific IP
# Tool: mxtoolbox.com/spf or kitterman.com/spf/validate.html
# Check SPF result in email headers
# Authentication-Results: ... spf=pass|fail|softfail|neutral|none
SPF Result Codes
| Result | Meaning | Action |
|---|---|---|
| pass | IP authorized by SPF record | ✓ No action needed |
| fail (-all) | IP explicitly not authorized | Add IP to SPF or use ~all instead |
| softfail (~all) | IP not authorized but soft failure | ISPs may still deliver but mark as suspicious |
| neutral (?all) | No policy stated | Avoid — provides no protection |
| none | No SPF record found | Create SPF TXT record at domain root |
| permerror | SPF record syntax error | Fix syntax; check for >10 DNS lookups |
| temperror | DNS lookup timeout during check | Usually transient; check DNS provider uptime |
The 10 DNS Lookup Limit
SPF allows a maximum of 10 DNS lookups (mechanisms that require DNS: a, mx, include, exists, redirect, ptr). Exceeding this produces permerror.
# Count your DNS lookups manually or use a tool
# Each "include:" = 1 lookup (plus whatever lookups that record includes)
# Use: mxtoolbox.com/spflookup to count
# Common offenders:
# include:_spf.google.com (1 lookup → expands to 3-4)
# include:sendgrid.net (1 lookup → expands to 3+)
# include:mailchimp.com (1 lookup → expands to 4+)
# Solution: use SPF flattening tools or move ESPs to subdomains
SPF Alignment (for DMARC)
DMARC requires SPF alignment: the domain in the MAIL FROM (Return-Path) must match the From: domain (strict) or be a subdomain of it (relaxed).
| From: | Return-Path: | Strict (adkim=s) | Relaxed (adkim=r) |
|---|---|---|---|
| you@yourdomain.com | bounce@yourdomain.com | PASS | PASS |
| you@yourdomain.com | bounce@mail.yourdomain.com | FAIL | PASS |
| you@yourdomain.com | bounce@otherdomain.com | FAIL | FAIL |
Common SPF Record Examples
# Basic: just your sending IPs
v=spf1 ip4:203.0.113.1 ip4:203.0.113.2 ~all
# With third-party senders
v=spf1 ip4:203.0.113.1 include:_spf.google.com include:sendgrid.net ~all
# For ESP-only sending (no own IP)
v=spf1 include:sendgrid.net ~all
# With IPv6
v=spf1 ip4:203.0.113.1 ip6:2001:db8::/32 ~all
Never use +all — this authorizes ANY server to send on your behalf, effectively disabling SPF protection.
If you're sending from multiple platforms, consider creating separate sending subdomains for each (mail.yourdomain.com for MailWizz, transact.yourdomain.com for API sends) to keep each subdomain's SPF record under the 10-lookup limit.