Troubleshoot SPF issues

Follow the steps in this article if you set up SPF but messages sent from your domains are still:

• Failing SPF authentication
• Rejected by receiving servers
• Sent to recipients’ spam folders

Note: It can take up to 48 hours after adding an SPF record for SPF authentication to start working.

Basic troubleshooting for SPF

Many SPF issues can be identified and resolved by following the steps in this section.

Verify SPF is set up correctly

To verify your SPF record is set up correctly, review these setup steps:

1. Check if SPF is already set up.
2. Prepare your SPF record.
3. Add or update your SPF record.

Verify outgoing messages pass SPF authentication

Email message headers contain the results of SPF authentication checks.

Recommended steps: See Check if your Gmail message is authenticated and Trace an email with its full header.

Make your SPF record includes all your email senders

If your SPF record doesn’t reference all services that send mail for your domain, messages from these senders might fail SPF, and be rejected or sent to spam. Examples include:

• Third-party providers that send email for your organization, for example email marketing providers
• Website contact forms that automatically send email when someone submits info in the form

Recommended steps:

• Check the servers and services in your SPF record. Follow the steps in Check if SPF is already set up. Make sure all servers and senders that currently send email for your domain are included in your SPF record.
• Update your SPF record with any new sender information. Follow the steps in Prepare your SPF record. Then, add the updated SPF record to your domain by following the steps in Add or update your SPF record.
• If messages sent from your website contact form are rejected or sent to spam, get steps to fix this issue in Troubleshoot Gmail not getting contact form messages.

Check message forwarding

Even if SPF is correctly set up for your domain, forwarded messages can fail SPF. This is usually because of the way the forwarding server forwards messages.

Recommended steps:

• To verify the message was forwarded and get the original recipient address, get message details with Email Log Search. If the person reporting a message as spam isn’t the original recipient, it’s likely the message was forwarded.
• Contact the third party that forwarded the message to find out if they can change how they forward messages.
• Use the tools in Advanced troubleshooting for SPF (later on this page) to check for suspicious email activity. Sometimes spammers forward messages to impersonate domains or organizations.

Review your email sending practices

If your domain has a valid SPF record and messages are still sent to spam, the cause might be something other than SPF. 

Recommended steps:

• Follow the Email sender guidelines for sending email to Gmail users, especially if you send large volumes of mail.

Advanced troubleshooting for SPF

If basic troubleshooting steps did not identify the issue, try these advanced troubleshooting steps.

Get SPF authentication results in message headers

The headers of messages sent from your domain have information about SPF authentication. To get the full headers of messages sent from your domain, follow the steps in Trace an email with its full header.

Find the part of the message header that starts with Authentication-Results, and note the text next to the entry spf. Depending on the information in this part of the header, take the recommended steps below.

Message header content	Possible causes	Recommended steps
No spf entry in Authentication-Results	The message did not go through an SPF check. Your SPF record might not be set up correctly.	See Verify SPF is set up correctly (earlier on this page).
The spf entry includes best guess record	Possible causes include: SPF hasn’t been set up for your domain. SPF isn’t set up correctly for your domain. There’s an issue with the DNS at your domain provider.	See Verify SPF is set up correctly (earlier on this page). Check with your domain provider to rule out current issues with their DNS.
The SPF result is neutral, softfail, or fail.	The SPF result is the text after spf=. Possible causes include: The message is from a legitimate sender but the IP address of that sender isn’t included in your SPF record. The message was intentionally sent from an unverified IP address. The message is from an unauthorized sender. In this case, the SPF results are correct.	See Verify SPF is set up correctly (earlier on this page). See Make sure your SPF record includes all current email senders (earlier on this page).
The SPF result is temperror or permerror	The SPF result is the text after spf=.  Possible causes include: The message is from a legitimate sender but the IP address of the sender isn’t included in your SPF record. The message was intentionally sent from an unverified IP address. The message is from an unauthorized sender. In this case, the SPF results are accurate.	See Verify SPF is set up correctly (earlier on this page). See Check the DNS lookups in your SPF record (later on this page). Check with your domain provider to rule out current issues with their DNS.

Check the DNS lookups in your SPF record

SPF records support up to 10 lookups. So, your SPF TXT record can’t include more than 10 references to other domains. Each of these mechanisms in your SPF record results in a lookup: a, mx, include, ptr.

If your TXT record results in more than 10 lookups, messages from your domain won’t pass SPF and could be sent to spam.

What are DNS lookups? When a mail server checks incoming messages against your SPF record, the server might have to do a lookup. A lookup is the process of finding the IP addresses for a domain. When your SPF record authorizes domains to send mail for you, receiving servers check the IP address for the authorized domain. 

Recommended steps:

• Check the number of lookups in your SPF record with the Check MX tool in the Google Admin Toolbox. 
• Remove duplicate mechanisms, and mechanisms that refer to the same domain.
• Be aware of nested lookups, which count toward the limit of 10. If your SPF record includes a domain, and that domain includes other domains in its SPF record, those other domains are counted toward your SPF record limit.
• When using the include mechanism, keep in mind nested lookups might cause your SPF record to exceed 10 lookups.
• When using the ip4 and ip6 mechanisms, keep in mind that SPF records have a 255 character string limit.
• Only include domains that are actively sending email for you.
• Remove any include mechanisms for third parties that no longer send mail for your domain.

Get detailed insights with Google Workspace reporting tools

To get detailed information about email delivery and authentication for your domain, try these Google Workspace reporting tools.

Tool	Recommended steps
Email Log Search	To help you troubleshoot forwarding issues, get the original destination address for inbound and outbound messages with Email Log Search (ELS). ELS includes the source IP address of incoming messages, so you can troubleshoot SPF authentication issues. ELS also shows if messages received by users in your domain are marked as spam.
Authentication report	Check which messages from your domain pass SPF, DKIM, and DMARC authentication checks with the Authentication report.
Postmaster Tools	If you regularly send large volumes of email, get details about messages sent by your domain with Postmaster Tools. This tool has information about delivery errors, spam reports, and feedback loops.
Security investigation tool	Get the authentication status of incoming messages, and identify incoming unauthenticated messages with the security investigation tool.
Gmail reports and BigQuery	Get the authentication status of incoming messages, detailed information about individual messages, and delivery statistics over time with Gmail reports and BigQuery.