RedScore.ai

Fixes

DNS & Domain Security · Updated 2026-05-02

SPF Record Check

Informational SPF presence check (weight 0 in DNS). For the scored SPF check, see SPF Policy Strength in Email Security.

This is the DNS-category SPF check and it is informational only: it surfaces whether a v=spf1 TXT record exists on your apex but does not affect your score (weight 0 in DNS, despite the methodology table listing 15). The scored version of SPF lives in Email Security as SPF Policy Strength, which evaluates the qualifier (-all, ~all, ?all, +all) and gates on whether your domain receives mail. Treat this DNS row as an audit signal; for remediation, follow SPF Policy Strength.

How the check works

Queries TXT records at yourdomain.tld and looks for any record starting with v=spf1. The verdict reflects what was found:

  • Pass (low): v=spf1 record found with -all (hard fail) or ~all (soft fail).
  • Warn (medium): v=spf1 record found but no -all or ~all qualifier.
  • Fail (high): no v=spf1 record at the apex.

All three verdicts are informational. The DNS category does not deduct points based on this row; the same finding is scored under SPF Policy Strength in Email Security where the policy qualifier matters and the check is gated on having a non-null MX.

What to do

Use this row to audit, not to score. Two cases:

  • If your domain sends mail and you see Fail or Warn here: jump to the SPF Policy Strength fix in Email Security for the actual scored remediation. This DNS row will pass naturally once the Email Security check passes.
  • If your domain does not send mail and you see Fail here: the DNS row will keep showing Fail, but it does not affect score. Email Security marks SPF as not-applicable when there is no non-null MX. You can publish a hard-fail SPF anyway (v=spf1 -all) to explicitly declare "no one is authorized to send mail from this domain"; some receivers reject spoofed mail more aggressively when they see this.

Optional: hard-fail SPF for non-mail domains

If your domain genuinely does not send mail, publish a deny-all SPF alongside your null MX (see MX Presence & Hygiene). The two together explicitly declare the domain neither receives nor sends mail:

Deny-all SPF for a non-mail domain

yourdomain.tld.   IN  TXT  "v=spf1 -all"

Verify

  • dig +short TXT yourdomain @1.1.1.1 should show the record (or no SPF answer if you do not publish one).
  • Re-run the RedScore lookup. The DNS row reflects the latest record; remember it does not affect score either way.

For the actionable scored SPF check (qualifier strength, lookup count, multi-sender setup, audit playbook), see the SPF Policy Strength guide in Email Security.

What to do next

See how these recommendations apply to your site's current scan results.

Scan domain