SPF failures have five results: 'none' (no SPF record published — add one), 'softfail' (~all, partial failure — send from unauthorized IP), 'hardfail' (-all, rejected — sending IP not in SPF), 'permerror' (SPF record is broken — syntax error or exceeded 10 lookups), 'temperror' (DNS temporarily unavailable). Most common fix: add the missing sending service's 'include:' to your SPF record. Most dangerous error: permerror silently breaks SPF for ALL senders.
SPF Authentication Failed: Every Error Type and How to Fix It
SPF Result Types
| Result | Meaning | Impact | Fix |
|---|---|---|---|
| pass | Authorized sender | Good — intended behavior | None needed |
| none | No SPF record exists | Bad — no authorization at all | Publish an SPF record |
| softfail | Unauthorized but soft policy | Suspect — may be spam-filtered | Add sender to SPF |
| hardfail | Unauthorized, reject policy | Rejected — email bounces | Add sender to SPF |
| permerror | SPF record is broken | Critical — SPF fails for ALL mail | Fix record syntax or lookup count |
| temperror | DNS temporarily unavailable | Temporary — usually resolves | Wait, check DNS provider |
Fix: SPF None (No Record)
Your domain has no SPF record. Publish one.
Basic SPF for Google Workspace:
yourdomain.com TXT v=spf1 include:_spf.google.com -all
Google Workspace + Mailgun:
yourdomain.com TXT v=spf1 include:_spf.google.com include:mailgun.org -all
Rules:
- Only ONE SPF TXT record per domain
- Include every service that sends from your domain
- End with
-all(hardfail) or~all(softfail)
Fix: SPF Softfail / Hardfail
The sending IP isn't in your SPF record.
Step 1: Identify the sending service from the bounce message or email headers. The source IP is in the Received: header.
Step 2: Add the service's include to your SPF record.
Common includes:
| Service | SPF Include |
|---|---|
| Google Workspace | include:_spf.google.com |
| Microsoft 365 | include:spf.protection.outlook.com |
| SendGrid | include:sendgrid.net |
| Mailgun | include:mailgun.org |
| Klaviyo | include:_spf.klaviyo.com |
| Mailchimp | include:servers.mcsv.net |
| HubSpot | include:spf.hubspot.com |
| Postmark | include:spf.mtasv.net |
| AWS SES | include:amazonses.com |
| Zendesk | include:mail.zendesk.com |
Fix: SPF Permerror (CRITICAL)
Permerror means your SPF record is fundamentally broken. This affects ALL email from your domain, not just one service.
Cause 1: Exceeded 10 DNS Lookups
Each include:, a, mx, and exists mechanism costs DNS lookups. Maximum: 10.
Diagnose: Use MXToolbox SPF Lookup. It shows total lookup count. Above 10 = permerror.
Fix options:
- Remove includes for services you no longer use
- Use
ip4:mechanisms instead ofinclude:(IPs don't count as lookups) - Delegate to subdomains (each gets its own 10-lookup budget)
- Use SPF flattening tools (AutoSPF, EasyDMARC)
Cause 2: Syntax Error
Common syntax errors:
- Missing
v=spf1at the start - Multiple SPF records on the same domain (merge into one)
- Typo in mechanism (
inclde:instead ofinclude:) - Invalid IP format
Diagnose: MXToolbox SPF Lookup shows syntax errors.
Fix: SPF Temperror
DNS temporarily can't resolve your SPF record. Usually resolves on its own within hours.
If persistent:
- Check your DNS provider's status page
- Verify the TXT record exists and is correct
- Check DNS TTL — very short TTLs (60s) can cause intermittent failures under load
Practitioner note: Permerror is the SPF failure I fix most often. Companies add services over years without checking their lookup count. By the time they have 4-5 services, they're at 12-15 lookups and SPF silently fails for everything. The first diagnostic I run on any deliverability issue: MXToolbox SPF lookup → check total lookups.
Practitioner note: If your SPF record has both
~alland-all(which shouldn't happen but I've seen it), or has TWO separate SPF TXT records (which invalidates both), that's your problem. One record, one ending mechanism. Always.
If SPF is failing and you can't figure out why, schedule a consultation — SPF troubleshooting is one of the most common issues I fix.
Sources
- RFC 7208: Sender Policy Framework (SPF)
- MXToolbox: SPF Lookup
v1.0 · March 2026
Frequently Asked Questions
What does 'SPF softfail' mean?
Softfail (result ~all) means the sending IP is not authorized by your SPF record, but you've indicated a soft policy. The email isn't rejected but may be treated with suspicion. Common when you use ~all instead of -all. Fix: add the sending service to your SPF record.
What does 'SPF none' mean?
SPF none means your domain has no SPF record published. Without SPF, mailbox providers can't verify your sending authorization. Fix: add a TXT record with your SPF policy — at minimum v=spf1 include:[your-esp] -all.
What causes SPF permerror?
Two main causes: 1) SPF record exceeds the 10 DNS lookup limit (too many includes), 2) Syntax error in the SPF record (missing 'v=spf1', double spaces, invalid mechanisms). Permerror is the most dangerous because it silently breaks SPF for ALL email from your domain.
How do I fix SPF when I have too many DNS lookups?
Three options: 1) Remove unnecessary includes (old ESPs you no longer use), 2) Use subdomain delegation (different subdomains with separate SPF records), 3) SPF flattening (replace includes with IP addresses — requires maintenance). Subdomain delegation is the safest long-term solution.
My SPF was working and suddenly failed. What happened?
Common causes: DNS record was accidentally modified or deleted, a new sending service was added without updating SPF, your domain's DNS TTL expired and the record isn't resolving, or your ESP changed their SPF include (rare but happens). Check your current SPF record in MXToolbox.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.