SPF and DKIM warning from Google, but I already have the DNS record that's supposed to solve it

I just had an email bounce back with the following message…

550 5.7.26 This message does not pass authentication checks (SPF and DKIM both do not pass). SPF check for [yourdomain.com] does not pass with ip: [].To best protect our users from spam, the message has been blocked. Please visit Prevent mail to Gmail users from being blocked or sent to spam - Gmail Help for more information. kz19-20020a17090777d300b008cd6575e7c5sor5263164ejc.29 - gsmtp

I contacted my domain registrar, and they told me to add an SPF record as follows…

v=spf1 a ip4: ip4: mx -all

Cloudflare wouldn’t let me add this, as it said the content must start with “v=spf” (which it does!).

After a bit of searching around this forum, I discovered a post that said SPF has been deprecated, and that the content should be added as a TXT record instead.

However, I already have a TXT record with that content.

Anyone able to advise how I avoid emails being bounced again? Thanks

That record doesn’t look at all like what Google tells you to configure… going from memory here, but pretty sure they wouldn’t hardcode IPs there.

1 Like

The IP in the error message indicates you are a Google Workspace user. Is that the case?

If it is, you need to add include:_spf.google.com before -all.

SPF used to have its own DNS record type, but used TXT as a temporary solution while waiting for DNS implementations to support the dedicated SFP type. Nobody ever built the support for the SPF type, so it was deprecated because everybody just used TXT to store their SPF policy anyway.


In case this helps anyone else, there was a typo in the content for the record. It should end in ~all, not -all as I had it.

I would not describe that as a typo. It’s is a policy decision you have to make.

There are four qualifiers that can be used in an SPF policy. PASS (+), NEUTRAL (?), SOFTFAIL (~) and FAIL (-).

-all means “if nothing else matches reject the email”, while ~all means something like “if nothing else matches accept the email, but if might be suspect”.

It might be a journey, but -all is the point most email admins should be aiming for.


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.