Security
SecurityMedium

SPF Record

Checks DNS for an SPF record — prevents others from sending email as your domain.

What this check measures

We query DNS TXT records on your domain for an SPF (`v=spf1`) record. It should list your authorized mail senders (e.g., Google Workspace, SendGrid) and end with `-all` (hard fail) or `~all` (soft fail).

Why it matters

Without SPF, spammers can send email "From: you@yourdomain.com" and it may reach inboxes. This destroys sender reputation and can get your legitimate mail marked as spam. Essential for any domain that sends email.

search

How our audit detects it

DNS TXT lookup on domain apex. Parse for `v=spf1` records. Validate syntax and ensure a final mechanism (-all, ~all, +all).

Typical findings

  • error_outlineNo SPF record at all — anyone can spoof.
  • error_outlineSPF ends with `+all` — allows everyone to send (defeats purpose).
  • error_outlineMultiple SPF records — invalid per RFC, all ignored.

How to fix

Add one TXT record: `v=spf1 include:_spf.google.com include:sendgrid.net -all` (adjust includes to your actual senders). End with -all for hard fail.

Frequently asked questions

Do I need SPF if I do not send email?expand_more
Yes — add `v=spf1 -all` to block all spoofing. Without SPF, spammers can still claim to be you.

Want this checked on your site?

Pantra runs the full audit (SEO, Security, GEO, Performance, Schema, Technical, Images) in 10 seconds and generates stack-specific fix prompts.

Scan my site

Related checks

Security

HTTPS Enabled

Checks that the site serves over HTTPS and redirects HTTP to HTTPS.

Security

TLS Version

Checks that the server uses TLS 1.2 or higher — older versions are broken.

Security

Mixed Content

Checks for HTTP resources loaded on HTTPS pages — browsers block or warn.

Security

SSL Certificate

Checks that the SSL certificate is valid, not expired, and not expiring soon.

Learn more in the Glossaryarrow_forward