SPF none means your domain has no SPF record published, so receiving servers can't verify if the sending IP is authorized. This hurts deliverability and makes your domain vulnerable to spoofing. Fix it by adding a TXT record at your domain with v=spf1 followed by your authorized senders and ending with -all or ~all. Every domain that sends email needs an SPF record.
SPF None Result: What to Do When No SPF Record Exists
What SPF None Actually Means
When a receiving server checks your SPF record and gets none, it means:
- It queried DNS for a TXT record at your domain
- No SPF record was found
- The server has no information about whether the sending IP is authorized
This is different from:
- Pass — IP is authorized
- Fail — IP is explicitly not authorized
- Softfail — IP is probably not authorized
- Permerror/Temperror — Couldn't evaluate the record
SPF none is the absence of any SPF policy. You're not saying "allow this sender" or "reject this sender" — you're saying nothing at all.
Why SPF None Hurts Deliverability
No Authentication Signal
Modern email security relies on SPF, DKIM, and DMARC working together. When SPF returns none:
- You lose one of three authentication signals
- Receiving servers have less confidence in your email
- You're more likely to land in spam, especially with new domains or IPs
DMARC Can't Use SPF
If you have a DMARC record but no SPF:
- DMARC alignment can only happen via DKIM
- You lose the SPF alignment path entirely
- If DKIM fails for any reason, DMARC fails
Spoofing Vulnerability
Without an SPF record, anyone can send email pretending to be from your domain. There's no mechanism for receiving servers to reject unauthorized senders.
Practitioner note: I audit domains daily where the owner says "we don't send much email" so they never set up SPF. Then I show them their DMARC reports with thousands of spoofed messages from random IPs in Russia. SPF none is an open invitation.
How to Check for SPF None
Using MXToolbox
- Go to mxtoolbox.com/spf.aspx
- Enter your domain
- If result shows "No SPF record found" — you have SPF none
Using Command Line
dig TXT yourdomain.com
# Look for a record starting with "v=spf1"
# If none exists, SPF returns none
Using Google Admin Toolbox
- Go to toolbox.googleapps.com/apps/dig/
- Enter your domain
- Select TXT record type
- Look for SPF record in results
How to Fix SPF None
Step 1: Identify Your Authorized Senders
Make a list of every service that sends email as your domain:
| Service Type | Examples |
|---|---|
| Primary email | Google Workspace, Microsoft 365 |
| Marketing | Mailchimp, Klaviyo, ActiveCampaign |
| Transactional | SendGrid, Mailgun, Postmark |
| CRM | HubSpot, Salesforce |
| Other | Helpdesk, billing, forms |
Step 2: Build Your SPF Record
Basic structure:
v=spf1 [includes for each sender] [all mechanism]
Example for Google Workspace:
v=spf1 include:_spf.google.com -all
Example for Google Workspace + SendGrid:
v=spf1 include:_spf.google.com include:sendgrid.net -all
Example for Microsoft 365:
v=spf1 include:spf.protection.outlook.com -all
Step 3: Add the DNS Record
Add a TXT record:
- Host/Name:
@(or leave blank, depending on registrar) - Type: TXT
- Value: Your SPF record
- TTL: 3600 (1 hour) or default
Step 4: Verify
Wait for DNS propagation (usually minutes, sometimes hours), then check with MXToolbox to confirm the record is live.
Common Scenarios
"We Don't Send Email"
You still need an SPF record. Spammers love domains without SPF because nothing prevents spoofing.
Add:
v=spf1 -all
This says "no IP is authorized to send email as this domain." Receiving servers will reject spoofed messages.
"We Only Use Gmail/Outlook"
Add the appropriate include:
Gmail/Google Workspace:
v=spf1 include:_spf.google.com -all
Outlook/Microsoft 365:
v=spf1 include:spf.protection.outlook.com -all
"We Use Multiple Services"
Combine includes in one record:
v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org -all
Watch the 10 DNS lookup limit — too many includes cause permerror.
"We Have Multiple Domains"
Each domain needs its own SPF record. The SPF record for company.com doesn't apply to company.co.uk.
Practitioner note: Agencies with multiple client domains often miss this. Every domain that sends email — even if it's just transactional from the website — needs SPF configured separately.
Softfail vs Hardfail
When creating your SPF record, you'll choose between:
-all(hardfail) — Unauthorized IPs should be rejected~all(softfail) — Unauthorized IPs should be marked suspicious but not rejected
Recommendation: Use -all if you're confident you've included all authorized senders. Use ~all temporarily while you audit and verify.
In practice, most major mailbox providers treat both similarly — they use SPF result as one signal among many rather than rejecting outright on hardfail.
SPF None vs Neutral (?all)
Some records end with ?all:
v=spf1 include:_spf.google.com ?all
This explicitly says "I make no assertion about IPs not listed." It's basically the same as none — you're opting out of SPF protection for unlisted senders.
Don't use ?all — it provides no security benefit. Use ~all or -all.
After Adding SPF
Once your SPF record is live:
- Test authentication — Send emails and check headers for
spf=pass - Set up DKIM — SPF alone isn't enough; configure DKIM for full authentication
- Add DMARC — Start monitoring with DMARC at p=none
- Monitor — Watch DMARC reports for SPF failures from legitimate senders you missed
If you're not sure which services send email for your domain or how to structure your SPF record correctly, schedule a consultation — I'll audit your sending and build the right record.
Sources
- RFC 7208: Sender Policy Framework (SPF)
- Google: Set up SPF
- Microsoft: Set up SPF for M365
- MXToolbox SPF Lookup
v1.0 · March 2026
Frequently Asked Questions
What does SPF none mean?
SPF none means the receiving server looked for an SPF record at your domain and found nothing. It can't determine if the sender is authorized, so SPF provides no authentication signal.
Does SPF none cause emails to go to spam?
By itself, SPF none doesn't guarantee spam placement. But it removes a positive authentication signal, making your email more likely to be filtered. Combined with missing DKIM or DMARC, it significantly hurts deliverability.
Is SPF none the same as SPF fail?
No. SPF none means no record exists to evaluate. SPF fail means a record exists and the sender IP is explicitly not authorized. None is absence of information; fail is explicit denial.
How do I add an SPF record?
Add a TXT record at your root domain (@) with value starting with v=spf1, including your authorized senders (like include:_spf.google.com), and ending with -all or ~all.
What if I don't send email from my domain?
You still need an SPF record to prevent spoofing. Use: v=spf1 -all — this tells servers that NO IP is authorized to send as your domain.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.