---
title: "Do’s and don’ts of an SPF record | AutoSPF"
description: "SPF records include syntaxes and many rules and limitations. If you don’t follow them, you will face SPF record failures, false positives, or false negatives."
image: "https://autospf.com/og/blog/dos-and-donts-of-an-spf-record.png"
canonical: "https://autospf.com/blog/dos-and-donts-of-an-spf-record/"
---

Quick Answer

SPF records include syntaxes and many rules and limitations. If you don’t follow them, you will face SPF record failures, false positives, or false negatives. You must develop the habit of regularly running your SPF records through SPF analyzers or lookup tools to see if it has any issues arising out of not abiding by the below-shared do’s and don’ts

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fautospf.com%2Fblog%2Fdos-and-donts-of-an-spf-record%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Do%E2%80%99s%20and%20don%E2%80%99ts%20of%20an%20SPF%20record&url=https%3A%2F%2Fautospf.com%2Fblog%2Fdos-and-donts-of-an-spf-record%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fautospf.com%2Fblog%2Fdos-and-donts-of-an-spf-record%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fautospf.com%2Fblog%2Fdos-and-donts-of-an-spf-record%2F&title=Do%E2%80%99s%20and%20don%E2%80%99ts%20of%20an%20SPF%20record "Share on Reddit") [ ](mailto:?subject=Do%E2%80%99s%20and%20don%E2%80%99ts%20of%20an%20SPF%20record&body=Check out this article: https%3A%2F%2Fautospf.com%2Fblog%2Fdos-and-donts-of-an-spf-record%2F "Share via Email") 

![email deliverability](https://media.mailhop.org/autospf/images/2024/09/spf-validator-2101.jpg) 

SPF records include syntaxes and many rules and limitations. _If you don’t follow them, you will face SPF record failures, false positives, or false negatives_. You must develop the habit of regularly running your [SPF records](/spf-record-checker/create-spf-record/) through SPF analyzers or lookup tools to see if it has any issues arising out of not abiding by the below-shared do’s and don’ts

_Per [RFC 7208](https://datatracker.ietf.org/doc/html/rfc7208), SPF evaluation is capped at 10 DNS mechanism lookups and 2 void lookups per check - exceeding either limit produces a `PermError` that fails authentication for every message from the domain._

## The do’s of an SPF record

Avoid common SPF pitfalls by adhering to these best practices:

### Do define all valid mail servers

Ensure that every server you use for sending emails is included in your SPF record. List them using mechanisms like ip4, ip6, a, mx, and include. This way, emails by legitimate senders won’t fall into the recipients’ [spam folders](https://www.courthousenews.com/judge-tosses-rncs-lawsuit-against-google-over-emails-sent-to-spam-folders/), and there will be no hampering of communication.

![ spam folders](https://media.mailhop.org/autospf/images/2024/09/spf-record-syntax-8.jpg) 

### Do include third-party services

If you have outsourced some kind of email work (like [email marketing](https://www.salesforce.com/in/marketing/email/)) to external services (such as [CRMs or marketing platforms](https://crm.io/what-is-a-crm-platform)), then include their sending sources in your SPF record using the ‘include’ mechanism. Skipping this part will lead to false positives.

### Do use the \~all mechanism (SoftFail) when testing

When setting up or testing a new SPF record, use \~all (SoftFail) to minimize email delivery disruptions before switching to -all (HardFail). This is because SoftFail is a more flexible and forgiving mechanism as it instructs the receiving mailboxes to store the [suspicious emails](https://news.usps.com/2024/02/06/receive-a-suspicious-email-heres-what-you-should-do-next/) sent from your domain in their spam folders. _Whereas, the HardFail mechanism instructs the receiving mailboxes to strictly reject such emails_.

### Do enforce SPF with -all after testing

Once everything is tested and verified, consider using -all (HardFail) to ensure that only authorized servers can send emails on your behalf. This is a good practice, as suspicious emails will never make their way into the recipients’ inboxes, leaving no possibility for the targeted recipients to fall into the trap of [malicious actors](https://thehackernews.com/2024/01/threat-actors-increasingly-abusing.html) who could send potentially [fraudulent emails](https://www.usatoday.com/story/money/columnist/2023/09/21/ai-cyber-scams-security/70920106007/) from your domain.

### Do keep the record concise

Ensure your SPF record remains under 255 characters for each DNS TXT entry, and avoid exceeding the 10 [DNS lookups](https://www.digicert.com/faq/dns/how-does-dns-lookup-work) limit.

### Do update the record when new IPs or services are added

Update your SPF record whenever you add or change email service providers to avoid delivery issues. If not done, emails originating from those services might be flagged as unauthorized, reducing [email deliverability](/blog/how-does-spf-help-marketers-in-improving-email-deliverability/) and negatively impacting your [sender’s reputation](https://www.linkedin.com/pulse/what-sender-reputation-why-important-email-hippo-ltd-c8jlf?trk=organization%5Fguest%5Fmain-feed-card%5Ffeed-article-content).

Common scenarios when you would have to consider adding or removing sending sources include- switching email providers, integrating with new [third-party](https://www.investopedia.com/terms/t/third-party.asp) email-sending services, adding a new [mail server](https://www.activecampaign.com/glossary/mail-server), or changing the [IP addresses](https://www.fortinet.com/resources/cyberglossary/what-is-ip-address) of the existing one. You may also need to make changes when you expand the services that send emails on your behalf, for example, starting a new social media department.

## The don’ts of an SPF record

Ensure a smooth email authentication by following these SPF practices

### Don’t use multiple SPF records

There should only be one SPF record per domain. Multiple SPF records corresponding to a domain will fail the validation process. If needed, [merge all the existing SPF records](/blog/merge-spf-records-to-fix-multiple-spf-records-error/) into one. 

![email authentication](https://media.mailhop.org/autospf/images/2024/09/spf-flattening-1039.jpg) 

### Don’t forget about IPv6

There are relatively fewer [IPv6 servers](https://www.techtarget.com/iotagenda/definition/IPv6-address), which is why people often forget to add them to their SPF records. As a result, they remain blocklisted, causing [legitimate emails](https://www.rivialsecurity.com/blog/how-to-tell-fake-email) to get flagged.

### Don’t use wildcard mechanisms carelessly

_Avoid using broad mechanisms like +all or ?all, which would allow any IP to send emails on your behalf_. This defeats the purpose of SPF and exposes you to phishing or spam. Also, your domain will be highly prone to gaining a bad reputation, rupturing trust with recipients, and harming your [brand’s credibility](https://www.forbes.com/councils/forbesbusinesscouncil/2023/08/17/the-importance-of-brand-credibility/). 

### Don’t rely on SPF alone

SPF should be complemented with DKIM and [DMARC](/fraudmarc-alternatives/) for a more comprehensive [email security](/) strategy. DKIM uses cryptography to inform recipients if someone has changed or tampered with the email’s contents in transit. This is done using a pair of [public and private keys](https://www.ssl2buy.com/wiki/what-is-a-public-and-private-key-pair) that are matched at the recipients’ ends.

DMARC works by aligning SPF and [DKIM records](/10-reasons-for-regular-spf-record-checks-in-cybersecurity/dmarc-record-check/) with the ‘From’ domain, ensuring that only authorized servers are used for sending emails from your domain. It also has a reporting feature that provides you with a log on [unauthorized email](https://news.trendmicro.com/2023/12/05/unauthorized-log-in-attempt-notification-email/) activity. _By specifying a policy (none, quarantine, or reject), you can instruct receiving servers on handling unauthorized messages_.

### Don’t exceed the 10 DNS lookup limit

SPF has a hard limit of 10 DNS lookups per record. Exceeding this can cause the SPF check to fail. Avoid using too many include mechanisms and nested lookups. If your SPF record has already exceeded this limit, use our [automatic SPF flattening tool](/book-a-demo/), which condenses the records, helping them stay within the limit.

## Final thoughts

Overlooking email authentication will do you no good, especially now that [phishing and spoofing](https://www.bleepingcomputer.com/news/google/google-now-blocks-spoofed-emails-for-better-phishing-protection/) are on the rise. So, get started with your email security drill today, and [reach out to us](/contact-us/) for anything related to SPF flattening.

![Brad Slavin](https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead for AutoSPF's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Ready to get started?

Try AutoSPF free — no credit card required.

[ Book a Demo ](/book-a-demo/) 

## Related Articles

[  Foundational 17m  10 Reasons The SPF Standard Is Essential For Protecting Your Domain  Nov 20, 2025 ](/blog/10-reasons-the-spf-standard-is-essential-for-protecting-your-domain/)[  Foundational 5m  4 ChatGPT and AI-based scams to be wary of in the second half of 2024  Aug 16, 2024 ](/blog/4-ai-and-chatgpt-scams-to-watch-for-in-2024/)[  Foundational 6m  6 Steps to Outplay BEC Attackers  Feb 2, 2024 ](/blog/6-steps-to-outplay-bec-attackers/)[  Foundational 4m  7 Myths and Misconceptions about Sender Policy Framework  May 31, 2024 ](/blog/7-myths-and-misconceptions-about-sender-policy-framework/)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"AutoSPF","url":"https://autospf.com","description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","publisher":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Do’s and don’ts of an SPF record","description":"SPF records include syntaxes and many rules and limitations. If you don’t follow them, you will face SPF record failures, false positives, or false negatives.","url":"https://autospf.com/blog/dos-and-donts-of-an-spf-record/","datePublished":"2024-09-25T19:39:02.000Z","dateModified":"2026-04-18T02:36:41.000Z","dateCreated":"2024-09-25T19:39:02.000Z","author":{"@type":"Person","@id":"https://autospf.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://autospf.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind AutoSPF, DMARC Report, Phish Protection, and Mailhop. He founded DuoCircle in 2014 to solve the SPF 10-DNS-lookup problem at scale and has led the company's growth to 2,000+ customers. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement) rather than hands-on DNS engineering.","image":"https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://autospf.com/blog/dos-and-donts-of-an-spf-record/"},"articleSection":"foundational","keywords":"","wordCount":816,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/autospf/images/2024/09/spf-validator-2101.jpg","caption":"email deliverability","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://autospf.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://autospf.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://autospf.com/foundational/"},{"@type":"ListItem","position":4,"name":"Do’s and don’ts of an SPF record","item":"https://autospf.com/blog/dos-and-donts-of-an-spf-record/"}]}
```