Defaults.Exposed

Defaults.Exposed › Reports

What Is SPF — and How Do I Fix My SPF Record? (2026)

Published 2026-07-01

Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains. SPF (Sender Policy Framework) is a DNS record listing which servers are allowed to send mail for your domain. See how we grade.

SPF is a single line in your DNS that says “these servers may send email as me — treat anything else as suspect.” Across 261 million domains, 53.21% publish an SPF record. That sounds healthy, but a record on its own doesn’t protect you: the terminal qualifier decides whether unlisted senders are rejected or waved through, and a large share of records are set so softly that they change nothing. Here’s what SPF actually does, the mistakes we see most, and how to fix yours.

What is an SPF record?

When a mail server receives a message claiming to be from your domain, it looks up your SPF record and checks whether the sending server is on your approved list. The record ends with an instruction for everything not on the list:

Of the 139 million domains that publish SPF, only 39.3% use a strict -all, while 55.8% use the softer ~all. And 36,014 domains publish +all — an open invitation that tells the world anyone may send as them.

The mistakes that quietly break SPF

How do I fix my SPF record?

  1. Publish one SPF record — a single TXT record starting v=spf1. Never publish two; that’s an automatic fail.
  2. List every legitimate sender — your mailbox provider, marketing platform, CRM, helpdesk — using their documented include: values.
  3. End with -all once you’re confident the list is complete. Start at ~all if you need a safety margin, then tighten. See fix SPF.
  4. Stay under 10 lookups — flatten or consolidate includes if you’re near the limit.
  5. Then add DMARC — SPF and DKIM feed DMARC, the control that actually stops someone sending email as your domain.

Frequently asked questions

What does an SPF record look like? A single DNS TXT record such as v=spf1 include:_spf.google.com -all. The include: entries are your approved senders; the -all at the end rejects everyone else.

Is ~all or -all better? -all (hardfail) is stronger — it tells receivers to reject unlisted senders. ~all (softfail) usually still delivers the mail. As of 2026-06-29, 39.3% of SPF records use -all and 55.8% use ~all.

Does SPF stop people spoofing my domain? Not by itself. SPF doesn’t govern the visible “From” address. You need DMARC set to enforce. 32.4% of domains have SPF but no DMARC and remain spoofable.

Why does my SPF record “fail” even though it looks right? Most often it exceeds the 10-lookup limit and returns permerror. 0.01% of domains with SPF hit this. Reduce the number of include: lookups.

Is fixing SPF expensive? No — it’s a free DNS change. The effort is getting the sender list complete and correct, not money.

Check your domain’s SPF free

See your SPF record, its terminal qualifier, and whether it’s complete — privately, and owner-only.

Check your domain → · Fix SPF → · Fix DMARC → · How we grade → · Aggregate data only. Data stored and processed in the EU.