Skip to main content

Fix Guides

How to Fix a Missing SPF Record

Publish the DNS record that authorises who may send email as your domain.

Quick fix

To fix a missing SPF record, add a single DNS TXT record on your root domain starting with v=spf1, listing every service that sends mail as you (via include: or ip4:), and ending with ~all while testing or -all once confident. Re-scan after DNS propagates.

SPF tells receiving mail servers which servers are allowed to send email using your domain. Without it, spoofing is easier and legitimate mail is more likely to land in spam. One correct TXT record fixes the scanner finding and is the first step toward full email authentication.

Check your website

See how your site handles how to fix a missing spf record — free, no account needed.

Business impact

Missing SPF means anyone can forge email that appears to come from your company — a common phishing and invoice-fraud tactic. It also hurts deliverability for newsletters, receipts and password resets. Fixing SPF is low effort with high payoff and is required before you can enforce DMARC.

Why this happens

SPF is missing when no TXT record on your apex domain contains v=spf1. Common causes: the record was never added after domain setup; a marketing or transactional provider was added but not included in SPF; or multiple SPF records were published (only one is valid — the rest are ignored or cause permerror). SPF must stay within 10 DNS lookups and end with an all qualifier.

How to confirm the issue

Manually: run nslookup -type=TXT yourdomain.com or use an online SPF lookup tool. No line starting with v=spf1 means SPF is missing.

With Plexa Trust: run a scan and look for "SPF Record Missing". After publishing the record, wait for DNS propagation (minutes to 48 hours) and re-scan.

Step-by-step fix

  1. List every service that sends email as your domain (email host, CRM, marketing, ticketing, ecommerce).

  2. Log in to your DNS provider (registrar, Cloudflare, Route 53, etc.).

  3. Add one TXT record on the root domain (@) — not a subdomain.

  4. Set the value to v=spf1 plus an include: for each provider, ending with ~all.

  5. Remove any duplicate SPF TXT records — only one is allowed.

  6. Wait for propagation, verify with an SPF lookup tool, then re-scan.

Platform-specific fixes

Google Workspace

  1. In Google Admin → Domains → your domain, note the recommended SPF value (usually include:_spf.google.com).

  2. Add other senders (Mailchimp, SendGrid, etc.) as additional include: entries in the same record.

  3. Publish at your DNS host: v=spf1 include:_spf.google.com include:sendgrid.net ~all (adjust includes to match your stack).

Microsoft 365

  1. Microsoft recommends: v=spf1 include:spf.protection.outlook.com ~all as the base.

  2. Add include: entries for any third-party senders (marketing, CRM).

  3. Publish as a TXT record on the apex domain in your DNS panel.

Cloudflare DNS

  1. DNS → Records → Add record → Type TXT, Name @, Content your SPF string.

  2. Ensure the proxy status is DNS only (grey cloud) — SPF is not affected by proxying but keep email records consistent.

  3. Delete any old SPF TXT records to avoid duplicates.

GoDaddy / Namecheap / registrars

  1. Open DNS management for your domain.

  2. Add a TXT record with Host/Name @ and the full SPF value in the Value field.

  3. Save and allow up to 48 hours for global propagation (often much faster).

SendGrid / Mailchimp / transactional providers

  1. Each provider publishes its own SPF include in its setup docs (e.g. include:sendgrid.net).

  2. Merge all includes into your single apex SPF record — do not create separate SPF records per service.

  3. Send a test email and check the Authentication-Results header for spf=pass.

How to verify the fix

  • Keep exactly one SPF record on the apex domain.

  • Use ~all (soft fail) while testing, then tighten to -all when every sender is listed.

  • Re-scan with Plexa Trust and confirm "SPF Record Missing" is cleared.

  • Pair SPF with DKIM and DMARC — see the email authentication overview guide.

Common mistakes

  • Publishing multiple SPF TXT records (invalid — merge into one).

  • Forgetting a marketing or transactional provider, causing their mail to fail SPF.

  • Exceeding 10 DNS lookups with too many nested includes.

  • Putting SPF on a subdomain instead of the root domain.

Frequently asked questions

Where does the SPF record go?

On your root domain as a TXT record — e.g. example.com, not mail.example.com. DNS panels often show this as Host @ or leave the name blank.

What is a safe starter SPF record?

v=spf1 include:your-email-provider.com ~all — add includes for every sender, then tighten ~all to -all once verified.

Can I have two SPF records?

No. Only one SPF record is valid per domain. Merge all includes into a single v=spf1 string.

What does ~all vs -all mean?

~all (soft fail) marks unauthorised senders as suspicious. -all (hard fail) tells receivers to reject them. Start soft, then harden.

How long until SPF propagates?

Often 15–60 minutes, but TTL and registrar caching can take up to 48 hours. Lower TTL before changes if you need faster rollout.

Does SPF fix spoofing completely?

No. SPF checks the envelope sender and breaks on forwarding. Combine with DKIM and DMARC for full protection of the visible From address.

My marketing tool sends from a subdomain — do I need SPF there too?

Sometimes. If they send from news.example.com, they may need a separate SPF on that subdomain. Your apex SPF covers mail sent directly from @example.com.

How do I confirm it worked?

Use an SPF lookup tool, send a test email and check Authentication-Results for spf=pass, and re-scan with Plexa Trust.

Think you've fixed it?

Run a free scan to verify the issue is resolved. Upgrade to Pro on Plexa Trust for the full audit, monitoring alerts, and score history.

Verify with a free scan

Upgrade to Pro for monitoring