---
title: "How to fix SPF records by analyzing DMARC reports | DuoCircle"
description: "How to fix SPF records by analyzing DMARC reports."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/dmarc/how-to-fix-spf-records-by-analyzing-dmarc-reports/"
---

Quick Answer

DMARC aggregate reports show every IP and service that sent mail claiming to be from your domain, whether each message passed or failed SPF, and whether the result aligned with the From header. Use this data to fix your SPF record by: (1) identifying legitimate senders missing from the record and adding the right include or ip4 mechanism, (2) removing services that no longer send for you to stay under the 10-DNS-lookup limit, (3) spotting alignment failures where SPF passes on the Return-Path domain but not the From domain, and (4) flagging unauthorized IPs that are spoofing your domain. SPF alone is fragile, it breaks on forwarding and offers no visibility, so DMARC reports are the feedback loop that makes ongoing SPF maintenance possible.

How to fix SPF records by analyzing DMARC reports

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2025/06/How-to-fix-SPF-records-by-analyzing-DMARC-reports.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fdmarc%2Fhow-to-fix-spf-records-by-analyzing-dmarc-reports%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=How%20to%20fix%20SPF%20records%20by%20analyzing%20DMARC%20reports&url=undefined%2Fblog%2Fdmarc%2Fhow-to-fix-spf-records-by-analyzing-dmarc-reports%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fdmarc%2Fhow-to-fix-spf-records-by-analyzing-dmarc-reports%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fdmarc%2Fhow-to-fix-spf-records-by-analyzing-dmarc-reports%2F&title=How%20to%20fix%20SPF%20records%20by%20analyzing%20DMARC%20reports "Share on Reddit") [ ](mailto:?subject=How%20to%20fix%20SPF%20records%20by%20analyzing%20DMARC%20reports&body=Check out this article: undefined%2Fblog%2Fdmarc%2Fhow-to-fix-spf-records-by-analyzing-dmarc-reports%2F "Share via Email") 

![DMARC report](https://media.mailhop.org/duocircle/images/2025/06/spf-record-generator-5566.jpg) 

You might be under the impression that the three major [email authentication](/resources/email-authentication) protocols are mutually exclusive. Well, this might be the most common misunderstanding and is **particularly true** for [SPF](/resources/what-is-spf) (Sender Policy Framework). 

Unlike DMARC, which builds upon the foundation laid by SPF and [DKIM](/resources/what-is-dkim), SPF essentially operates independently, but if you really want to **optimize your configuration** and tighten your security, this approach might not be very helpful. 

Yes, SPF is the first step in the authentication journey as it requires you to explicitly list all the authorized [mail servers](https://www.techtarget.com/whatis/definition/mail-server-mail-transfer-transport-agent-MTA-mail-router-Internet-mailer) or services allowed to send on behalf of your domain. This means everything from your primary **domain to your marketing services** and [CRM](https://www.investopedia.com/terms/c/customer%5Frelation%5Fmanagement.asp) must be included in your SPF record. 

Here’s the thing: configuring the SPF record isn’t just about listing all your sending services and getting done with it. It requires ongoing management and strategic planning, for which you can rely on DMARC reports. This is why we said that SPF doesn’t work best in isolation.

Now that we know SPF works best when complemented by **real-time visibility** of DMARC reports, let us understand how these reports bridge the gap between your intended email infrastructure and what’s actually happening in the wild.

[![ email infrastructure](https://media.mailhop.org/duocircle/images/2025/06/dkim-selector-8905.jpg)](https://media.mailhop.org/duocircle/images/2025/06/dkim-selector-8905.jpg)

## What do DMARC reports say about SPF?

DMARC reports give you a clear picture of how your domain is being used, what servers are sending emails on your behalf, and whether they are even **passing SPF checks**. You need to know all this to be able to spot gaps in your SPF record, catch unauthorized senders, and fix alignment issues that could otherwise lead to legitimate emails being rejected or [marked as spam](https://pressgazette.co.uk/publishers/digital-journalism/facebook-spam-posts-independent-small-news-publishers/).

Here’s how DMARC reports identify these gaps and help you fine-tune your SPF record:

### They list all sending sources

The report shows every server or service that’s **sending mail on your behalf**. This could be your own mail server, or tools like Mailchimp, [Google Workspace](https://workspace.google.com/intl/en%5Fin/), Salesforce, etc. If any of these aren’t listed in your SPF record, their emails can fail SPF, even if they’re legitimate.

### They tell you if the SPF passed or failed

_DMARC reports also give you an insight into whether each email passed SPF checks_. This helps you quickly spot if a legitimate sender has been left out of your SPF record or if there’s a misconfiguration causing failures. This information is important to help you **update your SPF record** so that all legitimate senders are properly included. And if there are any unnecessary inclusions, it also helps you clean up your SPF record by removing services that are no longer in use.

[![email passed SPF checks ](https://media.mailhop.org/duocircle/images/2025/06/spf-record-5521.jpg)](https://media.mailhop.org/duocircle/images/2025/06/spf-record-5521.jpg)

## How can you fix your SPF record with the DMARC insights?

Once you’ve reviewed your DMARC reports and identified the gaps, here’s how you can use those insights to **fix and strengthen** your SPF record:

### Identify missing senders and add them

If you spot any service or address that you know is legitimate but is still failing SPF, check whether its **sending domain or IP address** is included in your current SPF record. If it’s not, be sure to include it in the record. And while you are at it, ensure that you use the correct “include:” mechanism, as recommended by the service provider. When you follow these steps, most of your SPF failures related to [legitimate senders](https://thehackernews.com/2024/08/xeon-sender-tool-exploits-cloud-apis.html) can be resolved quickly.

### Fix domain alignment issues

Even though your email passes the SPF check, there is a chance it might fail the DMARC check. This happens because DMARC doesn’t just look at whether SPF passed, it also checks if the domain used in the SPF check matches the domain shown in the “From” address of the email. If these two domains don’t align, [DMARC](https://dmarcreport.com/what-is-dmarc/) treats it as a fail. It often happens when third-party services send emails using their own domain in the Return-Path. To fix this, check if the service **allows you to configure** a [custom Return-Path](https://help.zoho.com/portal/en/kb/campaigns/deliverability-guide/best-practices/articles/what-is-a-custom-return-path-and-why-is-it-important) that uses your domain.

[![Custom Return-Path](https://media.mailhop.org/duocircle/images/2025/06/spf-validator-9032.jpg)](https://media.mailhop.org/duocircle/images/2025/06/spf-validator-9032.jpg)

### Remove outdated entries

Over time, your SPF record can get cluttered with services you no longer use. _DMARC reports help you see which senders are actually active. If you notice ‘includes’ for services that haven’t sent emails in weeks or months, it may be best to remove them_. Cleaning up unused entries not only simplifies your SPF record but also helps you avoid hitting the 10 [DNS lookup](https://www.digicert.com/faq/dns/how-does-dns-lookup-work) limit, which can cause SPF to break even when the **setup looks correct**.

### Watch out for the SPF lookup limit

SPF allows a maximum of 10 DNS lookups. If you’re including many **third-party services**, it’s easy to exceed this limit, which causes SPF to break silently. [DMARC reports](/content/dmarc-report) can show if SPF checks are failing due to too many lookups. If this happens, you can either consider removing unused includes or using SPF flattening tools. 

## Maintaining a healthy SPF configuration

Like any other security setting, SPF is also not a one-time setup protocol. It should evolve with your [email infrastructure](https://www.voilanorbert.com/blog/email-infrastructure/). Whether you start using a new tool or unsubscribe from an existing one, you must update it all in your SPF record. If a legitimate service isn’t added, its emails might fail authentication. And if an outdated service stays in the record, it adds unnecessary bulk and brings you closer to the **SPF limit of 10 DNS lookups**, which can cause the entire check to fail silently. Either way, if your SPF record isn’t up to date, your emails won’t reach their destination, or worse, they might get flagged as suspicious or rejected outright.

[![ security setting ](https://media.mailhop.org/duocircle/images/2025/06/dmarc-office-365-5566.jpg)](https://media.mailhop.org/duocircle/images/2025/06/dmarc-office-365-5566.jpg)

Keeping your [SPF record](/content/spf-records) clean and updated doesn’t take much time, but it goes a long way in making sure your emails are trusted, delivered, and protected.

The **process might sound daunting**, but you’re in the right place.

If you help fix or maintain your SPF record, our team at [DuoCircle](/) is here to help you with it all and more! From analyzing your DMARC reports to optimizing your SPF configuration and maintaining the SPF lookup limit, we make the process simple and accurate. [Book a demo](/demo-request) with us to see how we can **secure your email setup**.

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  DMARC 7m  DMARC at p=none Is a Setup State, Not a Deployment  May 5, 2026 ](/blog/dmarc-p-none-is-a-setup-not-a-deployment/)[  DMARC 15m  10 Ways To Master DMARC Failure Troubleshooting And Fix Email Authentication Fast  Feb 26, 2026 ](/blog/dmarc/10-ways-master-dmarc-failure-troubleshooting-fix-email-fast/)[  DMARC 13m  7 Easy Steps to Set Up DMARC and Secure Your Email Domain  Dec 19, 2025 ](/blog/dmarc/7-easy-steps-to-set-up-dmarc-and-secure-your-email-domain/)[  DMARC 16m  8 Reasons To Choose A DMARC Report Analyzer Tool With Real-Time Dashboards And Alerts  Jan 27, 2026 ](/blog/dmarc/8-reasons-choose-dmarc-report-analyzer-real-time-dashboards-alerts/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"How to fix SPF records by analyzing DMARC reports","description":"How to fix SPF records by analyzing DMARC reports.","url":"https://www.duocircle.com/blog/dmarc/how-to-fix-spf-records-by-analyzing-dmarc-reports/","datePublished":"2025-06-12T13:34:47.000Z","dateModified":"2025-06-12T13:37:35.000Z","dateCreated":"2025-06-12T13:34:47.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/dmarc/how-to-fix-spf-records-by-analyzing-dmarc-reports/"},"articleSection":"dmarc","keywords":"","wordCount":1028,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/06/spf-record-generator-5566.jpg","caption":"DMARC report","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"DMARC"},{"@type":"ListItem","position":3,"name":"How to fix SPF records by analyzing DMARC reports","item":"https://www.duocircle.com/blog/dmarc/how-to-fix-spf-records-by-analyzing-dmarc-reports/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"DMARC","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"How to fix SPF records by analyzing DMARC reports","item":"https://www.duocircle.com/blog/dmarc/how-to-fix-spf-records-by-analyzing-dmarc-reports/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"How to fix SPF records by analyzing DMARC reports","description":"How to fix SPF records by analyzing DMARC reports.","url":"https://www.duocircle.com/blog/dmarc/how-to-fix-spf-records-by-analyzing-dmarc-reports/","datePublished":"2025-06-12T13:34:47.000Z","dateModified":"2025-06-12T13:37:35.000Z","dateCreated":"2025-06-12T13:34:47.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/dmarc/how-to-fix-spf-records-by-analyzing-dmarc-reports/"},"articleSection":"dmarc","keywords":"","wordCount":1028,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/06/spf-record-generator-5566.jpg","caption":"DMARC report","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```