All guides

SPF Record Too Long? Fix It Without Breaking Mail

InboxRadar grades your email deliverability free and emails you when it changes. Check your domain.

Why a long SPF record breaks mail

One extra email tool can push a working domain into a silent failure. The record still looks normal in your DNS panel, but receivers may see a record they cannot parse, a response that is too large, or an SPF check that spends all 10 allowed DNS lookups before it reaches the real sender.

SPF is the TXT record that lists who may send mail for your domain. A typical record starts with v=spf1, uses mechanisms such as include:, ip4:, ip6:, a, or mx, and ends with a qualifier such as ~all or -all. Receivers use it during delivery. If SPF returns permerror, Gmail, Outlook, and other mailbox providers may treat the message as less trustworthy. That can hurt inbox placement, even when the message is real.

Long can mean three different things. First, a DNS host may reject a TXT value because one quoted string is over 255 characters. Many DNS providers handle this by splitting the TXT value into quoted chunks, but some admin panels make that hard. Second, the total SPF answer can become bulky enough to cause DNS trouble. RFC 7208 says SPF records should stay small enough for the DNS answer to fit within 512 octets, with 450 octets as a practical guideline for the DNS name plus TXT data. Third, and most common, the SPF record can exceed the SPF limit of 10 DNS lookups. RFC 7208 sets that limit for mechanisms and modifiers that need DNS, including include, a, mx, ptr, exists, and redirect.

If you want a quick outside read, run the domain through the free InboxRadar domain scorecard. It checks live SPF, DKIM, DMARC, and MX records and points at the record most likely to hurt delivery.

Fix the record in the right order

Do the boring cleanup before you flatten anything. Most bloated SPF records are old vendors, duplicate includes, or services that should send from their own domain instead of yours.

  • Keep exactly one SPF TXT record at the sending domain. Two records cause SPF permerror.
  • List every service that sends mail using your domain. Remove tools you no longer use.
  • Remove duplicate includes. They can still cost lookups when receivers evaluate SPF.
  • Prefer one include from each active provider. Do not paste provider internals unless their docs tell you to.
  • Replace stable, known senders with ip4: or ip6: only when the vendor gives fixed ranges and agrees they are stable.
  • Avoid ptr. It is slow, fragile, and discouraged by RFC 7208.
  • Be careful with a and mx. Each can add lookups, and mx can expand into more DNS work.
  • Use ~all while you are testing. Move to -all only after every SPF-approved source is listed, every other real source signs with aligned DKIM, and DMARC reports look clean.

Flattening means replacing includes with the IP ranges they currently resolve to. It can cut lookups, but it creates a maintenance job. If Google, Microsoft, Mailchimp, or another provider changes its sending IPs, your flattened record can become wrong. If you flatten, monitor it and refresh it on a schedule.

Do not try to solve a long SPF record by publishing SPF in several TXT records at the same name. Receivers must see one SPF policy. If you split one logical TXT value into quoted DNS chunks, that is different. DNS joins those chunks into one TXT answer. Your DNS provider may show this as one field or several quoted strings.

Check DKIM, DMARC, MX, and reputation too

SPF alone does not prove a message should reach the inbox. Modern filters look for a domain that is authenticated, aligned, and sending mail people want.

Turn on DKIM for each sending service. DKIM uses a selector, such as google._domainkey, and signs the message with a key tied to your domain. If one service signs with its own domain instead of yours, DMARC alignment may fail even when SPF passes.

Publish DMARC at _dmarc.yourdomain. Start with p=none and a rua=mailto: address so you can see who is sending as you. Then move toward p=quarantine or p=reject after the real sources pass SPF or DKIM in alignment. Use the free DMARC report reader when an aggregate RUA file is too hard to read by hand.

MX records do not make SPF, DKIM, or DMARC pass. They still matter because a real mail domain should handle replies and bounces. Broken receiving DNS can look sloppy to people and automated checks. Blocklists can also hurt, but they are usually a symptom. Fix authentication first, then check whether your domain or sending IP has been listed because of abuse, old compromised mail, or a bad list.

Google's sender guidelines expect SPF or DKIM authentication, DMARC, alignment, low spam rates, and easy unsubscribe for marketing mail. Microsoft also points senders toward valid SPF, DKIM, DMARC, DNS, and good complaint behavior. The exact weight is private, but the pattern is clear: broken authentication makes every other signal worse.

Do not let DNS fixes hide your site from AI search

If you also publish help docs or support pages, make sure the same cleanup pass does not block the crawlers that read your site for AI answers.

The crawlers that decide whether you appear in AI answers are OAI-SearchBot for ChatGPT search, Claude-SearchBot for Claude, PerplexityBot for Perplexity, Googlebot for Google AI Overviews through the normal Search index, and Applebot for Apple Intelligence. Disallowing these in robots.txt removes you from that engine.

GPTBot, ClaudeBot, CCBot, Google-Extended, and Applebot-Extended are training or opt-out controls. Blocking them does not affect live AI-search visibility. Google-Extended and Applebot-Extended are robots-only control tokens with no separate crawl user-agent.

robots.txt is a stated site policy, not proof of what any crawler did. Perplexity-User and Bytespider have been reported to ignore it, so treat logs as evidence and robots.txt as policy. Googlebot documents JavaScript rendering. For the other AI search crawlers, client-side-only content is an undocumented risk. Server-render the facts you need crawlers to read, and check visibility with the free AI visibility checker.

Common questions

How long is too long for an SPF record?

The most important limit is 10 DNS lookups during SPF evaluation. One TXT character-string also cannot exceed 255 octets, though DNS can store one TXT answer as several quoted chunks. SPF records should also stay small enough for reliable DNS answers. If your DNS host rejects the value, split the quoted TXT chunks or shorten the policy.

Can I have two SPF records?

No. Publish one SPF TXT record for a host name. Two records that both start with v=spf1 cause permerror, and receivers may fail SPF even if both records look reasonable.

Should I end with ~all or -all?

Use ~all while you are still finding real senders. Use -all after SPF lists the sources that need SPF, DKIM aligns for the others, and DMARC reports show no important source is failing.

Does DKIM fix a broken SPF record?

DKIM can still let DMARC pass if the DKIM signature is valid and aligned with the visible From domain. You should still fix SPF because some receivers and forwarding paths use it as another trust signal.

Where should I check the official rules?

Use RFC 7208 for SPF, RFC 6376 for DKIM, and RFC 7489 for DMARC. For delivery rules, read the current Google and Microsoft sender guidelines. For AI crawler access, use the vendor docs from OpenAI, Anthropic, Perplexity, Google, Apple, and Common Crawl.

Related guides

Check your domain free

InboxRadar grades your email setup A to F in about three seconds, then watches it and emails you the moment something breaks. Free, no login.

Check your domain