SPF Record Check (2026): Fix SPF Fail, PermError, and Improve Email Deliverability
A practical SPF guide: how SPF works, how to validate it, and how to fix common SPF errors that hurt deliverability.
Tags
How to use SPF Checker
SPF (Sender Policy Framework) is one of the most important DNS-based protections for email deliverability. If your SPF record is wrong, messages can land in spam, fail DMARC alignment, or be rejected by strict receivers. The good news is that SPF issues are usually fixable with a clear checklist and a reliable SPF record check.
Quick Answer
To fix SPF problems, publish exactly one SPF TXT record at the correct hostname, include only the sending services you actually use, and keep total DNS lookups at 10 or fewer. Validate the final record using an SPF checker and then confirm DMARC results to ensure alignment.
What SPF Does (In Simple Terms)
SPF tells receiving mail servers which IPs and third-party services are allowed to send mail “for” your domain. It is published as a TXT record. When a message arrives, the receiver checks the sender’s domain SPF record and evaluates whether the sending server is authorized. The result becomes SPF pass, fail, softfail, neutral, temperror, or permerror.
How to Validate Your SPF Record
Start by retrieving the TXT record for your domain and locating the line that begins with v=spf1. Use DNS Lookup to confirm the record is visible publicly, then run a dedicated check with your SPF validation workflow. If you also use DKIM/DMARC, validate them too because the best deliverability comes from SPF + DKIM + DMARC working together.
- Check TXT record for the root domain and the exact domain you send from.
- Confirm you have only one SPF record (multiple SPF records can cause permerror).
- Confirm the policy ends with a qualifier like -all or ~all.
Common SPF Errors and How to Fix Them
1) Two SPF records (PermError). Many domains accidentally publish multiple TXT records containing “v=spf1”. SPF requires a single record. Merge them into one.
2) Too many DNS lookups. SPF evaluation stops at 10 DNS lookups. Each include, a, mx, ptr, and exists can count. Fix by removing unused includes, using dedicated subdomains, or flattening safely when appropriate.
3) Wrong domain / wrong hostname. If you send mail from a subdomain (for example, notifications.example.com), you may need SPF at that subdomain. Many deliverability issues happen because SPF is only set at the apex.
4) Misusing +all or ?all. +all allows everyone to send and makes SPF meaningless. ?all is too permissive for many cases. Prefer ~all during testing and -all when confident.
5) Including the wrong provider. If you removed a service (old CRM, old email platform) but left its include, you increase lookup count and risk authorization you no longer want.
A Practical SPF Checklist (Works for Most Businesses)
- List every system that sends mail (Google Workspace, Microsoft 365, transactional email, marketing tool, helpdesk).
- Build one SPF record that includes only those systems.
- Keep DNS lookups under 10 by pruning old includes.
- Choose a policy: start with ~all, then move to -all.
- Verify alignment with DMARC if you send as your main domain.
Recommended Next Steps
After SPF passes, validate DKIM and DMARC. This is where AEO and modern deliverability intersect: many providers now rely more on DKIM and DMARC alignment than SPF alone. Use these tools to complete the setup:
- DNS Lookup to confirm TXT records are published and visible.
- DNS Propagation Checker if you just changed records.
FAQ
Q: What does SPF PermError mean?
A: It means the receiver could not properly evaluate your SPF record, often due to multiple SPF records or exceeding DNS lookup limits.
Q: Is ~all or -all better?
A: -all is stricter and is recommended once you are confident your sending sources are correct. ~all is useful during setup when you want to monitor before enforcing.
Q: Do I need SPF on subdomains?
A: If you send mail from a subdomain and the visible “From” uses that subdomain, yes. Publish SPF at the sending domain’s DNS.
Q: Can SPF alone prevent spoofing?
A: Not fully. Spoofing protection is strongest with DMARC enforcement and DKIM signing, not SPF alone.
Q: Why do I have SPF pass but still go to spam?
A: Deliverability depends on reputation, content, DKIM/DMARC, engagement, and sending patterns. SPF is necessary but not sufficient.
Q: How do I reduce SPF DNS lookups safely?
A: Remove unused includes, avoid nested includes where possible, and consider splitting mail streams by subdomain if you have many services.