Suped detects the following SPF-related issues on your domains.
Missing SPF record
Issue code: spfMissing
What it means: No SPF record was found for your domain.
Why it matters: Without an SPF record, email receivers can't verify whether a sending server is authorized to send on behalf of your domain. This makes it easy for anyone to spoof your domain.
How to fix it: Create an SPF TXT record on your domain listing your authorized senders. For example: v=spf1 include:_spf.google.com -all. You can also use hosted SPF to manage your authorized senders from the dashboard.
Invalid SPF record
Issue code: spfInvalid
What it means: Your SPF record exists but has syntax errors.
Why it matters: An invalid SPF record causes a permerror result, which means receivers can't evaluate it. Depending on the receiver's policy, this may cause emails to be rejected.
How to fix it: Common causes include a missing v=spf1 prefix, invalid mechanisms, and unclosed modifiers. Use Suped's domain health checker to validate your record and identify the specific syntax error.
Multiple SPF records
Issue code: spfMultiple
What it means: More than one SPF TXT record was found on your domain.
Why it matters: The SPF specification requires exactly one SPF record per domain. When multiple records exist, the result is a permerror and SPF fails for all emails.
How to fix it: Merge all mechanisms from your separate records into a single SPF record. For example, if you have v=spf1 include:_spf.google.com -all and v=spf1 include:servers.mcsv.net -all, combine them into v=spf1 include:_spf.google.com include:servers.mcsv.net -all.
SPF record too long
Issue code: spfTooLong
What it means: Your SPF record exceeds 450 bytes in length.
Why it matters: While the DNS specification allows TXT records up to 255 bytes per string (with multiple strings concatenated), some DNS resolvers truncate long records. Records over 450 bytes are at risk of being silently cut off, which breaks SPF evaluation.
How to fix it: Use SPF flattening to reduce the record size by resolving includes into IP addresses. Alternatively, use hosted SPF to let Suped manage the record for you.
DNS lookup limit exceeded
Issue code: spfLookupLimitExceeded
What it means: Your SPF record requires more than 10 DNS lookups to fully evaluate.
Why it matters: This is a hard limit defined in the SPF RFC. When the 10-lookup limit is exceeded, the result is a permerror and SPF fails for all emails from your domain. Each include, a, mx, and redirect mechanism counts as one lookup.
How to fix it: Use SPF flattening to collapse include mechanisms into literal IP addresses (ip4/ip6), which don't count toward the lookup limit.
Missing required include
Issue code: spfMissingRequiredInclude
What it means: A verified sending source requires a specific include: directive in your SPF record that isn't present. For example, you send email via Google Workspace but your SPF record doesn't contain include:_spf.google.com.
Why it matters: Without the correct include, emails from that source will fail SPF authentication. If DKIM also fails or isn't aligned, DMARC will fail and the email may be rejected or quarantined.
How to fix it: Add the required include: directive for the sending source. The exact value is shown in the issue details on your Suped dashboard.
SPF misaligned
Issue code: spfMisaligned
What it means: The Return-Path domain on emails from this source doesn't match your From domain.
Why it matters: SPF authenticates the Return-Path domain, not the From domain. DMARC requires alignment between the two - if they don't match, SPF passes but DMARC alignment fails. This means SPF alone can't satisfy DMARC for this source.
How to fix it: Configure your sending source to use a Return-Path (also called envelope sender or bounce address) that aligns with your From domain. Many email providers offer a custom Return-Path or custom bounce domain setting for this purpose.
