SPF common mistakes: multiple records, include, and the 10-lookup limit

Why SPF fails even when you “have an SPF record”, and the fastest way to fix it.
2026-02-227 min readdeliverabilityspfdns

SPF is evaluated against the envelope sender domain (Return-Path / smtp.mailfrom). A visible From domain doesn’t guarantee SPF is configured correctly.

Mistake 1: You have more than one SPF TXT record

Many DNS providers allow multiple TXT records. But SPF must be exactly one record starting with v=spf1. Multiple SPF records often cause SPF=permerror or fail.

Rule
Keep only one v=spf1 record. Merge includes into a single SPF line.

Mistake 2: Missing an explicit ~all or -all

Without an explicit all mechanism, SPF intent is unclear and some tooling will warn. Most setups should end with ~all (softfail) or -all (fail).

Mistake 3: Exceeding the 10 DNS-lookup limit

  • Each include, a, mx, ptr, exists can count as a DNS lookup.
  • If SPF evaluation needs >10 lookups, SPF results can become permerror (treated like fail).
  • Fix by removing unused providers or consolidating ESPs.

A quick fix checklist

  1. Ensure only one SPF TXT record exists.
  2. Confirm it ends with ~all or -all.
  3. Remove old ESP includes you no longer use.
  4. Re-test with a real email and check Authentication-Results: spf=pass.
Open feedback form