Follow the steps in this article if you set up SPF but messages sent from your domains are still:
- Failing SPF authentication
- Rejected by receiving servers
- Sent to recipients’ spam folders
Note: It can take up to 48 hours after adding an SPF record for SPF authentication to start working.
Basic troubleshooting for SPF
Many SPF issues can be identified and resolved by following the steps in this section.
Verify SPF is set up correctly
To verify your SPF record is set up correctly, review these setup steps:
- Check if you have an existing SPF record.
- Define your SPF record.
- Add your SPF record at your domain provider.
- Make sure your domain has only one SPF record.
Verify outgoing messages pass SPF authentication
Email message headers have the results of SPF authentication check. Check that messages sent from your domain pass SPF authentication.
Recommended steps:
- Check the headers in a message sent from your domain to learn if messages are passing SPF.
- In Gmail, click Show original for a message, then check the SPF status in the original message. Learn more about checking message headers in Gmail.
- Enter message headers into Google Admin Toolbox Messageheader tool and check the SPF status.
Make your SPF record includes all your email senders
If your SPF record doesn’t reference all services that send mail for your domain, messages from these senders might fail SPF, and be rejected or sent to spam. Examples include:
- Third-party providers that send email for your organization, for example email marketing providers
- Website contact forms that automatically send email when someone submits info in the form
Recommended steps:
- Check the servers and services in your SPF record. Follow the steps in Check if you have an existing SPF record. Make sure all servers and senders that currently send email for your domain are included in your SPF record.
- Update your SPF record with any new sender information. Follow the steps in Define your SPF record. Then, add the updated SPF record to your domain by following the steps in Add your SPF record at your domain provider.
- If messages sent from your website contact form are rejected or sent to spam, get steps to fix this issue in Troubleshoot issues with contact forms.
Check message forwarding
Even if SPF is correctly set up for your domain, forwarded messages can fail SPF. This is usually because of the way the forwarding server forwards messages.
Recommended steps:
- To verify the message was forwarded and get the original recipient address, get message details with Email Log Search. If the person reporting a message as spam isn’t the original recipient, it’s likely the message was forwarded.
- Contact the third party that forwarded the message to find out if they can change how they forward messages.
- Use the tools described in Advanced Troubleshooting to check for suspicious email activity. Sometimes spammers forward messages to impersonate domains or organizations.
Review your email sending practices
If your domain has a valid SPF record and messages are still sent to spam, the cause might be something other than SPF.
Recommended steps:
- Follow the guidelines for sending email to Gmail users, especially if you send large volumes of mail.
Advanced troubleshooting for SPF
If basic troubleshooting steps did not identify the issue, try these advanced troubleshooting steps.
Get SPF authentication results in message headers
The headers of messages sent from your domain have information about SPF authentication. To get the full headers of messages sent from your domain, follow the steps in Trace an email with its full headers.
Find the part of the message header that starts with Authentication-Results, and note the text next to the entry spf. Depending on the information in this part of the header, take the recommended steps below.
| Message header content | Possible causes | Recommended steps |
|---|---|---|
No spf entry in Authentication-Results |
The message did not go through an SPF check. Your SPF record might not be set up correctly. | Verify SPF is set up correctly. |
The spf entry includes best guess record |
Possible causes include:
|
|
The SPF result is neutral, softfail, or fail. |
The SPF result is the text after Possible causes include:
|
|
The SPF result is temperror or permerror |
The SPF result is the text after Possible causes include:
|
|
Check the DNS lookups in your SPF record
SPF records support up to 10 lookups. So, your SPF TXT record can’t include more than 10 references to other domains. Each of these mechanisms in your SPF record results in a lookup: a, mx, include, ptr.
If your TXT record results in more than 10 lookups, messages from your domain won’t pass SPF and could be sent to spam.
What are DNS lookups? When a mail server checks incoming messages against your SPF record, the server might have to do a lookup. A lookup is the process of finding the IP addresses for a domain. When your SPF record authorizes domains to send mail for you, receiving servers check the IP address for the authorized domain.
Recommended steps:
- Check the number of lookups in your SPF record with the Check MX tool in the Google Admin Toolbox.
- Remove duplicate mechanisms, and mechanisms that refer to the same domain.
- Be aware of nested lookups, which count toward the limit of 10. If your SPF record includes a domain, and that domain includes other domains in its SPF record, those other domains are counted toward your SPF record limit.
- When using the
includemechanism, keep in mind nested lookups might cause your SPF record to exceed 10 lookups. - When using the
ip4andip6mechanisms, keep in mind that SPF records have a 255 character string limit. - Only include domains that are actively sending email for you.
- Remove any
includemechanisms for third parties that no longer send mail for your domain.
Get detailed insights with Google Workspace reporting tools
To get detailed information about email delivery and authentication for your domain, try these Google Workspace reporting tools.
| Tool | Recommended steps |
|---|---|
|
To help you troubleshoot forwarding issues, get the original destination address for inbound and outbound messages with Email Log Search (ELS) . ELS includes the source IP address of incoming messages, so you can troubleshoot SPF authentication issues. ELS also shows if messages received by users in your domain are marked as spam. |
|
|
Authentication report |
Check which messages from your domain pass SPF, DKIM, and DMARC authentication checks with the Authentication report. |
|
Postmaster Tools |
If you regularly send large volumes of email, get details about messages sent by your domain with Postmaster Tools. This tool has information about delivery errors, spam reports, and feedback loops. |
|
Security investigation tool |
Get the authentication status of incoming messages, and identify incoming unauthenticated messages with the security investigation tool. |
|
BigQuery and Gmail reports |
Get the authentication status of incoming messages, detailed information about individual messages, and delivery statistics over time with BigQuery with Gmail reports. |
