DomainSecurityScanner
High SeveritySPF

Fix: SPF Include Domain Not Resolving

One or more "include" mechanisms in your SPF record point to a domain that does not have a valid SPF record or does not resolve in DNS.

Quick Fix

Verify the include domain exists and has a valid SPF record, or remove it if the service is no longer used.

What This Error Means

When an SPF evaluator encounters an include mechanism, it looks up the SPF record of the included domain. If that domain does not exist, has no SPF record, or returns an error, the include fails. If too many void lookups occur (RFC 7208 recommends a limit of 2), the entire SPF check returns PermError.

Why It Matters

A failing include can cause your SPF record to return errors, which means emails from legitimate senders covered by other working includes may also fail authentication. It also wastes one of your 10 DNS lookups on a dead reference.

Step-by-Step Fix

1

Identify which include is failing

Check each included domain individually to find the one that does not resolve.

Example
# Check each include domain:
dig +short TXT _spf.google.com
dig +short TXT sendgrid.net
dig +short TXT spf.oldemailservice.com  # This one might fail
2

Verify whether the service is still in use

Determine if you still send email through the service associated with the failing include.

3

Update or remove the include

If the service is no longer used, remove the include. If it is still used, check with the provider for the correct include domain.

Before
v=spf1 include:_spf.google.com include:spf.oldemailservice.com include:sendgrid.net -all
After
v=spf1 include:_spf.google.com include:sendgrid.net -all
4

Test the updated record

Verify the updated SPF record resolves cleanly and all remaining includes are valid.

Example
dig +short TXT yourdomain.com | grep "v=spf1"

Common Gotchas

  • Email service providers occasionally change their SPF include domains. If you set up SPF years ago, the provider may have migrated to a new domain.
  • Removing an include for a service you still use will cause emails from that service to fail SPF. Always verify the service is no longer in use before removing.
  • The void lookup limit (2 by RFC 7208 recommendation) means even two non-resolving includes can trigger a PermError.

Verify Your Fix

After making changes, use our free scanner to verify the fix is working correctly. DNS changes can take up to 48 hours to propagate, but most propagate within minutes.

Frequently Asked Questions

Why would an SPF include stop resolving?

The most common reasons are: the email service provider changed their SPF include domain, the provider shut down, or there was a typo in the include domain from the start.

What happens if an include domain has no SPF record?

The include mechanism returns a "none" result, which is treated as a failed match. If this triggers the void lookup limit, the entire SPF check may return PermError.

How many void lookups are allowed?

RFC 7208 recommends a limit of 2 void lookups (lookups that return no records). Exceeding this limit should result in a PermError, though enforcement varies by receiver.

Related Issues

SPF PermErrorToo Many DNS LookupsNo SPF RecordAll Fix Guides →