SPF Is Not Optional in 2026. Here Is What It Actually Does.

Every day, emails are rejected by Gmail and Yahoo because the sending domain has no SPF record, or has one that does not include the ESP they are actually sending through. This is not a technical edge case. It is one of the most common, most fixable deliverability problems I encounter in audits, and it is entirely preventable once you understand what SPF actually does.

What Is Actually Happening

SPF stands for Sender Policy Framework. It is a DNS record that tells receiving mail servers which IP addresses are authorised to send email on behalf of your domain.

When your ESP, Klaviyo, Mailchimp, or any other platform sends an email with your domain in the From address, the receiving server looks up your domain's DNS records and checks whether the IP address that just sent the email is on your authorised list. If the IP is there, SPF passes. If it is not, SPF fails.

Without an SPF record, there is no authorised list at all. The receiving server has no way to verify that the email claiming to be from your domain was actually sent by you or anyone you authorised. That is not a minor gap. It is a verification failure at the most fundamental level of email authentication.

SPF was designed to address a specific problem: anyone can send an email claiming to be from any domain. Nothing in the basic email protocol prevents that. SPF exists so receiving servers can check whether the server that delivered the message was actually authorised to claim that domain.

Google and Yahoo's 2025 bulk sender requirements made SPF mandatory for high-volume senders. Missing it is a non-compliance issue that can result in email being rejected outright, not just filtered to spam.

The most common SPF failure I see in audits is not a missing record entirely. It is a record that exists but does not include the ESP being used. A brand set up SPF three years ago when they were sending through one platform, then migrated to a different platform, and never updated the DNS record. The new ESP's IP addresses are not in the authorised list. SPF fails. Email lands in spam, or gets blocked, and no one understands why because the record technically exists.

SPF has one technical limitation worth knowing. It verifies the sending server's IP address, not the message itself. When a subscriber forwards your email, the forwarder's server re-sends from a different IP, which is not in your SPF record. The forwarded message fails SPF.

DKIM exists alongside SPF precisely because of this: DKIM signs the message and survives forwarding. Both are required for DMARC alignment. SPF is the foundation, and without it, the rest of the authentication stack is weaker.

The One Fix

Verify your SPF record and confirm it includes every sending source you are currently using.

Open your DNS management tool, find the TXT record for your domain that starts with v=spf1, and read through the authorised includes. Cross-reference that list against every platform that sends email on your behalf: your primary ESP, any transactional email service you use for order confirmations, any third-party tools that send notifications or automated emails from your domain.

If any sending source is missing from the SPF record, add its include. Every major ESP publishes its authentication setup instructions in its documentation. For Klaviyo, SPF is handled through the branded sending domain CNAME configuration; check your Klaviyo account's domain authentication settings for the exact DNS records required. For Mailchimp, the include is include:servers.mcsv.net. Add the appropriate include, save the record, and allow up to 48 hours for DNS propagation.

If you do not have an SPF record at all, create one. The format is a DNS TXT record at your root domain. A basic SPF record for a single ESP looks like v=spf1 include:klaviyo.com ~all. The ~all at the end is a soft fail for IPs not in your list. The direction in current email security practice is toward -all (hard fail) once you are confident the record is complete and you have moved your DMARC policy off p=none.

Use an SPF validation tool — MXToolbox is the most common option — to confirm the record syntax is correct after making changes. Invalid SPF syntax does not fail gracefully. A malformed record can break SPF entirely, which is worse than having no record at all. Get this right before moving on.

When SPF Is Configured Correctly

When SPF is correctly configured, receiving servers can verify that your emails are coming from authorised sources before they decide where to deliver them. You have one component of the authentication foundation in place. Combined with DKIM and a DMARC policy, SPF forms the technical proof that an email claiming to come from your domain was actually sent by you or a service you authorised.

The practical outcome is that your emails are not rejected at the server level for a fixable authentication failure. That baseline matters more than any subject line test.

You cannot A/B test subject lines to fix a problem that exists before the email is delivered. Authentication issues surface upstream of everything else. In my audits, SPF is the most common gap, and it is usually the right first place to start.