Medium severity

How to fix a missing SPF record on your domain

Your domain has no SPF record. SPF (Sender Policy Framework) tells mail servers which IP addresses are allowed to send email from your domain. Without it, an attacker can send phishing email that appears to come from `support@your-domain.com`, and receiving servers have no way to know it is fake. Fix it by adding one TXT record to your DNS. If you use a transactional email service like Resend or Postmark, they will tell you the exact value.

Why it matters

Email spoofing is how most phishing works. For a new domain, adversaries will try your name immediately — especially if your brand is well-known. SPF is one of three records (SPF, DKIM, DMARC) that make spoofing detectable.

How to check

  1. 01Run `dig TXT your-domain.com +short` in a terminal.
  2. 02Look for a line starting with `v=spf1`.
  3. 03If missing, your domain is unprotected.

Or let SafeToShip check it for you in 60 seconds:

How to fix it

DNS (any provider)

Add a TXT record at the root (@) of your domain. The value depends on which services send email for you.

Type: TXT
Host: @ (or your domain)
Value: v=spf1 include:_spf.google.com include:amazonses.com ~all

Using Resend

Resend dashboard → Domains → Add your domain → copy the TXT value they give you. Usually includes `include:_spf.resend.com`.

AI prompt

Copy-paste into your AI tool

Paste this prompt into Cursor, Lovable, Bolt, v0, or Claude Code and it will walk through the fix for your specific codebase.

My domain has no SPF record. Tell me which email services I send from (check my code for email-sending libraries like resend, postmark, sendgrid, mailgun, nodemailer). For each, look up the correct SPF include value and assemble a single v=spf1 record that covers all of them. End with `~all` (soft fail). Give me the exact DNS entry to add.

FAQ

Frequently asked questions

What's the difference between ~all and -all?
`~all` = soft fail (message accepted, marked suspicious). `-all` = hard fail (message rejected). Start with `~all` until you are sure every sending service is included; then switch to `-all` for stronger protection.
I don't send email from my domain at all. Do I still need SPF?
Yes. Add `v=spf1 -all` to explicitly say no one is authorized to send from your domain. This blocks spoofing.

Related fix guides

Fix these too

Missing DMARC record

DMARC tells receiving mail servers what to do with email that fails SPF or DKIM — quarantine, reject, or nothing. Here is how to set it up.

Read more

Missing DKIM record

DKIM signs your outgoing email so receivers can verify it was not tampered with. Here is how to enable it through your email provider.

Read more

Learn the concepts

Glossary

Sender Policy Framework

SPF is a DNS record listing which IP addresses are allowed to send email from your domain. The first line of email authentication.

Read more

Domain-based Message Authentication, Reporting & Conformance

DMARC tells receiving mail servers what to do with email that fails SPF or DKIM checks. The single most important email security record.

Read more

DomainKeys Identified Mail

DKIM is a digital signature on outgoing email, letting receivers verify it came from you and was not tampered with.

Read more

Free tools

Check this yourself

Email security checker

Can someone spoof email from your domain? Check in 10 seconds.

Read more

Scan your site for this and 50+ other issues

Free scan. Results in 60 seconds. No account required.