Follow the steps in this article if you set up Sender Policy Framework (SPF), but messages sent from your domains are still:
- Failing SPF authentication
- Rejected by receiving servers
- Sent to recipients’ spam folders
Note: It can take up to 48 hours after adding an SPF record for SPF authentication to start working.
Most common solutions
- Make sure you have an SPF record (and only one)
- Verify your SPF syntax
- Add third-party senders to the SPF record
- Understand DNS management
- Fix issues with too many DNS lookups
- Wait 24-48 hours for fixes to take effect
Make sure you have an SPF record (and only one)
You must have an SPF record to send an email. If you don't, emails might be blocked or sent directly to spam.
Note that each domain can have only one SPF record that specifies all hosts or email services. If you have multiple SPF records, your email might end up in a recipient's spam folder. To check if you have an SPF record, use one of many free tools available on the web. If you have more than one SPF record, consolidate all your SPF records into a single record.
Recommended steps
Verify your SPF syntax
If you use only Google Workspace to send email, your SPF syntax should look like this:
v=spf1 include:_spf.google.com ~all
For a list of common SPF syntax, go to Set up SPF.
Recommended steps
- Make sure you use the correct "~all" qualifier. The symbol should be a tilde (~), not a hyphen (-) or a question mark. A hyphen can be overly restrictive and cause delivery issues for legitimate email. A question mark doesn't authenticate outgoing messages.
- Be careful when entering an SPF record. Typos, extra spaces, or the incorrect use of quotation marks can make the SPF record invalid.
- When adding an SPF record at your domain host, enter the @ symbol if the host is the same domain (not subdomain) that you are adding the SPF record to. Otherwise, enter your domain name (for example, yourdomain.com).
Add third-party senders to the SPF record
If you use services other than Google Workspace to send email on your domain's behalf, you must specify these services in one SPF record. For example, if you use Workspace and Salesforce to send emails, your SPF record must authorize both Google Workspace and Salesforce. In this example, the SPF syntax would be:
v=spf1 include:_spf.google.com include:[salesforce_domain] ~all
If your SPF record doesn’t reference all of the services that send mail for your domain, messages from these senders might fail SPF and be rejected or sent to spam.
Recommended steps
- Check the servers and services in your SPF record. Make sure all servers and senders that currently send email for your domain are included in your SPF record.
- Update your SPF record with any new sender information. Then, add the updated SPF record to your domain.
- If messages sent from your website contact form are rejected or sent to spam, go to Troubleshoot Gmail not getting contact form messages.
Understand DNS management
Q: What is a domain host?
A: A domain host is a service that hosts your website's domain names.
Q: What is an SPF record?
A: An SPF record is a line of text listing IP addresses and mail servers that are authorized to send mail on your domain's behalf.
Q: What is a DNS TXT record?
A: A DNS TXT record is a blank record that can hold any type of plain text information about your domain (in this case, you are adding an SPF record). Your DNS TXT record might also contain a domain verification TXT record, which confirms that you own the domain.
Q: How do I access my domain host's DNS settings?
A: Sign in to your domain host, then go to the page where you update your domain's DNS TXT records. To find this page, check your domain's documentation. For details, go to Set up SPF.
Q: What is a DNS lookup?
A: When a mail server checks incoming messages sent from your domain against your SPF record, the server might do a lookup. A lookup is the process of finding a domain's IP addresses. In the following examples, each SPF record results in one lookup:
- SPF mechanisms: a, exists, include, mx, ptr
- SPF modifiers: redirect
Learn more about SPF record mechanisms and SPF record modifiers.
Fix issues with too many DNS lookups
The SPF specification allows for a maximum of 10 DNS lookups (for example, include, a, mx mechanisms). Complex SPF records that include several third-party services can exceed this limit, causing your SPF record validation to fail. Error messages can vary by provider, but they might include warnings that you don't have an SPF record (even if you do have one).
Recommended steps
- Check the number of lookups in your SPF record using the Check MX tool in the Google Admin Toolbox.
- Remove duplicate mechanisms and mechanisms that refer to the same domain.
- Be aware of nested lookups, which count toward the limit of 10 DNS lookups. If your SPF record includes a domain, and that domain includes other domains in its SPF record, the other domains are counted toward your DNS lookup limit.
- When using the include mechanism, keep in mind that nested lookups might cause your SPF record to exceed 10 DNS lookups.
- When using the ip4 and ip6 mechanisms, keep in mind that SPF records have a 255-character-string limit.
- Only include domains that are actively sending email for you.
- Remove any include mechanisms for third parties that no longer send mail for your domain.
Wait 24–48 hours for fixes to take effect
Once you have fixed your SPF record issues, it can take between 24-48 hours for these changes to globally take effect.
Other solutions
If your issue isn't included in the list above, try one or more of these steps:
- Verify outgoing messages pass SPF authentication
- Remove IP ranges from your SPF record
- Check message forwarding
- Review your email sending practices
Verify outgoing messages pass SPF authentication
Email message headers contain the results of SPF authentication checks. For details, go to Check if your Gmail message is authenticated and Trace an email with its full header.
Remove IP ranges from your SPF record
Avoid using broad, shared IP address ranges (often used for cloud hosting/computing) in your SPF record. Update your SPF record to use fixed, assigned IP addresses for your domain's cloud computing instance.
Check message forwarding
Even if SPF is correctly set up for your domain, forwarded messages can still fail SPF. This is usually because of the way the forwarding server forwards messages.
Recommended steps
- Verify that the message was forwarded and get the original recipient address using Email Log Search. If the person reporting a message as spam isn’t the original recipient, it’s likely that the message was forwarded.
- Contact the third party that forwarded the message to find out if they can change how they forward messages.
- Use the tools in Advanced troubleshooting (later on this page) to check for suspicious email activity. Sometimes spammers forward messages to impersonate domains or organizations.
For more details, go to Help forwarded messages pass authentication.
Review your email sending practices
If your domain has a valid SPF record and messages are still sent to spam, the cause might be something other than SPF. Follow the Email sender guidelines for sending email to Gmail users, especially if you send large volumes of mail.
Advanced troubleshooting
If you are still having issues after using the suggested fixes listed above, try these advanced troubleshooting steps:
See authentication results in message headers
The headers of messages sent from your domain have information about SPF authentication. To get the full headers of messages sent from your domain, follow the steps in Trace an email with its full header.
Find the part of the message header that starts with Authentication-Results, and note the text following the entry spf. Use this message header content to locate the applicable row in the following table and complete the recommended steps.
| Message header content | Possible causes | Recommended steps |
|---|---|---|
| No spf entry in Authentication-Results | The message didn't go through an SPF check. Your SPF record might not be set up correctly. | Go to Make sure you have an SPF record (and only one) and Verify your SPF syntax (both earlier on this page). |
| The spf entry includes best guess record |
|
|
| The SPF result (the text after spf=) is neutral, softfail, or fail |
|
|
| The SPF result (the text after spf=) is temperror or permerror |
|
|
Get detailed insights with reporting tools
To get detailed information about email delivery and authentication for your domain, try these Workspace reporting tools.
| Reporting tools | Recommended steps |
|---|---|
|
To help you troubleshoot forwarding issues, get the original destination address for inbound and outbound messages with Email Log Search (ELS). ELS includes the source IP address of incoming messages, so you can troubleshoot SPF authentication issues. ELS also shows if messages received by your domain's users are marked as spam. |
|
|
Authentication report |
Check which messages from your domain pass SPF, DKIM, and DMARC authentication checks with the Authentication report. |
|
Postmaster Tools |
If you regularly send large volumes of email, get details about messages sent by your domain with Postmaster Tools. This feature has information about delivery errors, spam reports, and feedback loops. |
|
Security investigation tool |
Get the authentication status of incoming messages and identify incoming unauthenticated messages with the security investigation tool. |
|
Gmail reports and BigQuery |
Get the authentication status of incoming messages, detailed information about individual messages, and delivery statistics over time with Gmail reports and BigQuery. |
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.
