TrekMail
Webmail
For:
Agency flagship 1,000 client domains, one console. Teams Bulk-onboard mailboxes. Flat pricing. Solo Professional email on your domain. 5-min setup. AI Agents 181 MCP tools. Mailbox for your agent.
Standalone products
Email Verifier 25 checks per address. Pay-as-you-go credits. Cloud Drive 5 GB → 100 TB pooled with mailboxes. Webmail Modern 3-pane client. No ads, no scanning.
Learn
Documentation Setup, API, migration guides. Blog Deliverability deep-dives.
Programs
Referrals Earn credits for every signup. Affiliates Up to 30% recurring commission.
Deliverability & DNS

SPF Fail: Decode the Error and Fix It Fast

By Alexey Bulygin
SPF Fail: Decode the Error and Fix It Fast

Your email bounced. The headers say spf=fail. You've got a 550 5.7.1 or 550 5.7.26 staring back at you, and a client is waiting on a reply that never arrived.

An SPF fail isn't a content problem. It's a DNS authentication failure. The receiving mail server checked your SPF record, found the sending IP wasn't on the authorized list, and rejected the message before it ever reached a spam folder.

Since February 2024, Google and Yahoo reject unauthenticated email at the protocol level — not just flag it as suspicious. This guide decodes the specific error code you're seeing, shows you where to find the failing IP in your headers, and walks through the three DNS fixes that resolve the vast majority of SPF fail cases. No guessing. Get to the right fix first.

If you're setting up email on your domain for the first time, get the baseline DNS config right before you start debugging failures — SPF problems are almost always rooted in an incomplete initial setup.

What Is an SPF Fail?

An SPF fail happens when a receiving mail server evaluates your domain's Sender Policy Framework record and finds the sending IP address isn't listed as authorized. SPF is published as a DNS TXT record on your domain — it lists every IP address and mail service permitted to send email on your behalf. When the check fails, the server either rejects the message outright (hard fail) or accepts it as suspicious (soft fail). Either way, your DMARC policy counts it as a failure.

SPF checks the envelope sender — the MAIL FROM address negotiated during the SMTP handshake, not the friendly "From" header your recipient sees. That distinction matters when you're tracing where the break is.

SPF Result Record Qualifier What Happens to the Email
Hard Fail (fail) -all IP not authorized. Receiving server rejects the message per policy.
Soft Fail (softfail) ~all IP not authorized. Email accepted but flagged. Often routes to spam.
PermError Broken syntax or 10+ lookups Record is invalid. SPF fail for every sender, including legitimate traffic.
Pass -all (IP listed) IP authorized. Delivered normally.

Read the Error Code Before Touching Anything

Different mail servers return different SMTP codes for an SPF fail. The error code tells you exactly what the receiver decided and why — treating a 550 5.7.26 the same as a generic 550 5.7.1 wastes diagnostic time. Match the code to the cause before you touch a single DNS record.

Provider Error Code Meaning
Google / Gmail 550 5.7.26 Unauthenticated email blocked. No passing SPF or DKIM found. Standard rejection under Google's February 2024 bulk sender rules.
Microsoft / Outlook 550 5.7.515 Sender identity not authenticated. SPF or DKIM failure. "Access Denied" triggers before the email content is even scanned.
Generic receiver 550 5.7.1 Relay access denied. Catch-all for policy rejections. The receiver doesn't trust the sending IP.
Soft Fail (accepted) Headers show ~all SPF fail result, but lenient policy. Email lands in spam instead of getting rejected outright.

Step 1: Find the Failing IP in Your Headers

Don't guess which IP caused the SPF fail. Open the raw headers of the bounced message (or the bounce notification itself) and search for Authentication-Results. This header gives you the exact IP the receiver evaluated and the decision it made.

Authentication-Results: mx.google.com;
   spf=fail (google.com: domain of team@example.com does not designate
   192.0.2.55 as permitted sender)

Two pieces of forensic data are right there: the sending IP (192.0.2.55) and the domain being checked (example.com). Now identify who owns that IP:

  • A SaaS tool you recently onboarded? (HubSpot, Zendesk, Shopify)
  • Your web server? (WordPress, cPanel)
  • A mail forwarder? (See the Forwarding Trap section below)

Then confirm your current SPF record with a quick lookup:

dig +short txt yourdomain.com | grep spf

If you see more than one line starting with v=spf1, you've already found one of your problems.

Step 2: The Three Most Common SPF Fail Fixes

Most SPF fail cases come down to one of three root causes: a missing vendor include, a duplicate record, or exceeding the 10 DNS lookup limit. Pick the fix that matches what you found in Step 1.

Fix 1: The Missing Include (Vendor Gap)

You added a new email tool — HelpScout, HubSpot, Zendesk, Shopify transactional email — but didn't update your DNS. The service sends on your behalf using an IP you haven't authorized. This is the single most common cause of an SPF fail after onboarding a new vendor.

Failing record:

v=spf1 include:spf.trekmail.net -all

Passing record (after adding HelpScout):

v=spf1 include:spf.trekmail.net include:helpscoutemail.com -all

Find your vendor's required SPF include string in their documentation. Add it to your existing SPF TXT record — don't create a new record. Every service you send through needs to be listed.

Fix 2: The Double Record (Syntax Fatal)

You can only have one SPF record per domain. If you add a second TXT record for a new tool instead of merging it into the existing one, receivers see two conflicting policies and invalidate both. The result is a PermError — a hard SPF fail for every email from your domain, including mail that was delivering just fine before.

Wrong — two separate records:

v=spf1 include:spf.trekmail.net -all
v=spf1 include:_spf.google.com -all

Right — merged into one:

v=spf1 include:spf.trekmail.net include:_spf.google.com -all

Log into your DNS provider, delete all but one SPF TXT record, and merge everything into a single line. A PermError from a double record causes a silent SPF fail for all senders until you fix it.

Fix 3: The 10-Lookup Limit (Architecture Fail)

RFC 7208 limits SPF evaluation to 10 DNS lookups. This prevents servers from being used as DNS amplification vectors. Mechanisms like include, a, and mx each count against the limit — and nested includes (where your vendor includes their vendor's record) count too.

Exceed 10 lookups and you get PermError. SPF fails for everyone. Check your current lookup count by tracing your record:

dig +short txt yourdomain.com

Manually count each include, a, and mx mechanism, then follow the nested includes for each vendor. Two clean approaches if you're over budget:

  1. Segment senders to subdomains. Move high-volume marketing tools to marketing.yourdomain.com. That subdomain gets its own fresh 10-lookup budget, completely separate from your main domain's record.
  2. Flatten your record. Replace include chains with the actual IPs they resolve to using ip4: or ip6: mechanisms. These don't count as lookups. Tradeoff: you'll need to update your record manually when vendors rotate IPs.

One more trap: the void lookup limit. If more than two lookups in your chain return NXDOMAIN — say, a typo like include:spf.gogle.com — your record is invalidated per RFC 7208 §11.1. A single typo anywhere in your nested vendor includes can blow up the entire SPF evaluation.

The Forwarding Trap: Why SPF Fails on Legitimate Mail

Here's an SPF fail that has nothing to do with your DNS config. You send an email to an alumni address (alice@university.edu), which auto-forwards to Gmail (alice@gmail.com). Gmail sees the email arriving from the university's server IP. Your SPF record doesn't authorize that IP. SPF fail — even though you did everything right.

The path: Your server → University server → Gmail. The check: Gmail evaluates the last hop. You can't fix forwarding failures with SPF because SPF only authorizes the original sending IP. The moment a forwarder steps in, the IP check breaks.

The correct fix is DKIM. DKIM signs the message body and headers cryptographically. The forwarder typically doesn't alter the body, so the DKIM signature survives the relay hop. Even with an SPF fail, a valid DKIM signature keeps your message alive under DMARC.

If you're running infrastructure-level forwarding and want SPF-compatible rewrites, the Sender Rewriting Scheme (SRS) is worth understanding — it's how forwarders can rewrite the envelope sender so SPF passes at the final destination. For broader forwarding delivery failures, the email forwarding setup and fix guide covers the full diagnostic path.

Verify the Fix Before Moving On

After updating your DNS record, wait for propagation — typically 5 to 30 minutes for most providers, up to a few hours in some edge cases. Then verify the fix actually landed before calling it done.

Send a test email to a Gmail address and open the raw headers. Search for Authentication-Results. You want this:

Authentication-Results: mx.google.com;
   spf=pass (google.com: domain of team@example.com designates
   192.0.2.55 as permitted sender)

If you still see spf=fail or spf=softfail, either the fix hasn't propagated or your record still has a problem. Check the IP in the headers against what's in your updated record. They need to match.

You can also verify the record directly:

dig +short txt yourdomain.com

Confirm exactly one record starting with v=spf1, that all your sending services are included, and that the record ends with -all (hard fail) or ~all (soft fail).

Managing SPF Across Multiple Domains

For one domain, SPF management is a one-time task. Add your includes, merge any duplicates, fix the lookup count — done. But if you're managing email for 10, 50, or 500 domains, each with its own SPF record and its own set of SaaS vendors, manually debugging each SPF fail becomes real operational overhead.

Approach SPF Record Required Who Manages IP Reputation
DIY / BYO SMTP Full record with every vendor listed You — manually
TrekMail Managed SMTP v=spf1 include:spf.trekmail.net -all TrekMail — IP rotation, reputation, DKIM alignment

TrekMail's managed SMTP — available on Starter at $3.50/mo and up — reduces this to a single include per domain. TrekMail handles IP rotation, bounce monitoring, DKIM alignment, and the underlying delivery infrastructure. For agencies on the Agency plan ($23.25/mo), you apply one standardized DNS template across all client domains instead of chasing SPF fail errors through hundreds of individual records.

Start a 14-day free trial if you want to see what managed delivery looks like in practice.

SPF Fail: The Short Version

An SPF fail means the receiving server checked your DNS, found the sending IP wasn't listed, and enforced your policy. Hard fail (-all) means rejection. Soft fail (~all) means spam folder. PermError means your record is broken and SPF fails for every sender until you fix the record itself.

Work through the fixes in order:

  1. Find the failing IP in the Authentication-Results header
  2. Add the missing vendor include if a new service caused the SPF fail
  3. Merge duplicate SPF records into one
  4. Reduce DNS lookups below 10, or segment high-volume senders to subdomains
  5. If the SPF fail is on forwarded mail, implement DKIM — SPF can't survive a relay hop

Get the right fix first, verify with headers, and you're done.

Share this article

Post Share Share

Related Articles

We use cookies for essential functionality. No ads, no ad tracking.

Sign in to TrekMail

Access your dashboard, mailboxes and DNS.

or
Continue with Google Continue with Facebook Continue with X Continue with Microsoft
or
Continue with Google Continue with Facebook Continue with X Continue with Microsoft

Reset email sent

If an account exists for this email, we've sent password reset instructions.

By continuing, you agree to TrekMail's Terms and Privacy Policy.