Defaults.Exposed › Reports
What Is SPF — and How Do I Fix My SPF Record? (2026)
Published 2026-07-01
Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains. SPF (Sender Policy Framework) is a DNS record listing which servers are allowed to send mail for your domain. See how we grade.
SPF is a single line in your DNS that says “these servers may send email as me — treat anything else as suspect.” Across 261 million domains, 53.21% publish an SPF record. That sounds healthy, but a record on its own doesn’t protect you: the terminal qualifier decides whether unlisted senders are rejected or waved through, and a large share of records are set so softly that they change nothing. Here’s what SPF actually does, the mistakes we see most, and how to fix yours.
What is an SPF record?
When a mail server receives a message claiming to be from your domain, it looks up your SPF record and checks whether the sending server is on your approved list. The record ends with an instruction for everything not on the list:
-all(hardfail) — reject unlisted senders. This is the setting that means business.~all(softfail) — accept but mark as suspicious. Most mail still gets delivered.?all(neutral) — do nothing; equivalent to having no opinion.+all— accept anything from anyone. This is actively dangerous and should never be published.
Of the 139 million domains that publish SPF, only 39.3% use a strict -all, while 55.8% use the softer ~all. And 36,014 domains publish +all — an open invitation that tells the world anyone may send as them.
The mistakes that quietly break SPF
- Too many DNS lookups. SPF is capped at 10 lookups (RFC 7208); exceed it and the whole record fails “permerror” and is ignored. 7,958 domains (0.01% of those with SPF) blow this limit — usually by chaining too many
include:statements for third-party senders. - Publishing
+all. Rare but catastrophic — it disables SPF entirely and endorses forgers. - Assuming SPF stops impersonation. It doesn’t, on its own. SPF checks the technical sending path, not the “From” address a person sees. 32.4% of all domains publish SPF but have no DMARC — so the visible sender can still be forged. SPF is the plumbing; DMARC enforcement is the lock. See SPF without DMARC.
How do I fix my SPF record?
- Publish one SPF record — a single TXT record starting
v=spf1. Never publish two; that’s an automatic fail. - List every legitimate sender — your mailbox provider, marketing platform, CRM, helpdesk — using their documented
include:values. - End with
-allonce you’re confident the list is complete. Start at~allif you need a safety margin, then tighten. See fix SPF. - Stay under 10 lookups — flatten or consolidate includes if you’re near the limit.
- Then add DMARC — SPF and DKIM feed DMARC, the control that actually stops someone sending email as your domain.
Frequently asked questions
What does an SPF record look like?
A single DNS TXT record such as v=spf1 include:_spf.google.com -all. The include: entries are your approved senders; the -all at the end rejects everyone else.
Is ~all or -all better?
-all (hardfail) is stronger — it tells receivers to reject unlisted senders. ~all (softfail) usually still delivers the mail. As of 2026-06-29, 39.3% of SPF records use -all and 55.8% use ~all.
Does SPF stop people spoofing my domain? Not by itself. SPF doesn’t govern the visible “From” address. You need DMARC set to enforce. 32.4% of domains have SPF but no DMARC and remain spoofable.
Why does my SPF record “fail” even though it looks right?
Most often it exceeds the 10-lookup limit and returns permerror. 0.01% of domains with SPF hit this. Reduce the number of include: lookups.
Is fixing SPF expensive? No — it’s a free DNS change. The effort is getting the sender list complete and correct, not money.
Check your domain’s SPF free
See your SPF record, its terminal qualifier, and whether it’s complete — privately, and owner-only.
Check your domain → · Fix SPF → · Fix DMARC → · How we grade → · Aggregate data only. Data stored and processed in the EU.