Email DNS Check

SPF Record Syntax Explained

SPF records follow a strict syntax: a version prefix, a sequence of mechanisms, and a final all qualifier. Each mechanism (include, ip4, ip6, mx, a, redirect) has a specific format and meaning. Understanding the structure helps you read existing records, debug failures, and build correct policies from scratch.

One-Minute Fix

Ensure your SPF record starts with v=spf1, uses mechanisms in the correct format (e.g. include:domain.com with a colon and no extra spaces), and ends with an all qualifier such as ~all or -all.

Syntax breakdown
Plain text
v=spf1          → version (required)
  include:domain  → mechanism:value (colon, no space)
  ip4:192.0.2.0/24 → IP range
  ~all            → qualifier + all (softfail)

Mechanisms are evaluated left to right. The first match determines the result. The all mechanism is always last and defines the default for unmatched IPs.

Re-check

Wrong vs correct setup

Malformed syntax

Malformed syntax
DNS TXT
v=spf1 include _spf.google.com -all

The include mechanism requires a colon before the domain. A space instead of a colon causes a syntax error and makes the record unparseable.

Valid syntax

Valid syntax
DNS TXT
v=spf1 include:_spf.google.com -all

Colon after include, no extra spaces, and -all at the end. Receivers can parse this and evaluate it correctly.

Why syntax matters

SPF parsers are strict. A missing colon, extra space, or typo in a mechanism name invalidates the entire record. Receivers may treat it as a permanent error rather than attempting a fallback.

Why syntax errors are a problem

  • Receivers cannot evaluate the policy and may return permerror.
  • Legitimate mail loses SPF even when the intent was correct.
  • DMARC alignment can fail when SPF cannot produce a result.
  • Debugging becomes harder when the record looks present but is invalid.

How syntax affects deliverability

Invalid syntax prevents SPF from working at all. Mailbox providers see a broken record and may downgrade trust. Fixing syntax restores authentication and supports better deliverability.

Common syntax mistakes

  • Missing colon after include, redirect, or other mechanisms.
  • Extra spaces inside the record where none are allowed.
  • Typo in mechanism names (e.g. inclide instead of include).
  • Malformed qualifier (e.g. - all with a space).

What we checked

We inspect SPF records for valid syntax: correct mechanism format, valid qualifiers, and proper structure. Records that fail parsing are reported as syntax errors.

Live DNS lookup. No login. No saved domains. No tracking.

FAQ

What are SPF qualifiers?

Qualifiers (+pass, -fail, ~softfail, ?neutral) modify the result of a mechanism. The all mechanism typically uses ~ or - to define the default for unmatched IPs.

What is the order of mechanisms?

Mechanisms are evaluated left to right. The first match wins. The all mechanism is always last and applies when no earlier mechanism matches.

Can I use multiple includes?

Yes. List them sequentially: include:_spf.google.com include:sendgrid.net. Each triggers a DNS lookup, so stay under the 10-lookup limit.

Next steps

  • Read your current SPF record character by character.
  • Verify each mechanism has the correct format (mechanism:value).
  • Ensure the record ends with ~all, -all, or ?all.
  • Fix any typos or malformed syntax.
  • Re-run the check to confirm the record parses correctly.
  • Review the full troubleshooting guidance in the SPF Hub.
  • Check signing and selector issues in the DKIM Hub.
  • Review alignment and policy issues in the DMARC Hub.

Related fixes

Explore more issues