DNS / email · Check
SPF record missing — how to publish and harden it
SPF lists the IPs and hosts authorized to send mail for your domain. Without one, receiving servers cannot verify your `MAIL FROM`, and spoofed phishing using your brand has fewer obstacles.
Real-world risk
Receivers cannot use SPF to verify your domain’s authorized senders, so spoofed From: addresses are easier to abuse.
Fix steps (in order)
- Publish a TXT record at your domain (or use your DNS provider’s SPF wizard): v=spf1 include:_spf.google.com -all (adjust includes to your real mail sources).
- Use -all or ~all intentionally; start with ?all only during testing.
Topic explainer
DMARC, SPF, and DKIM explained: the email authentication trio →
A practical guide to email authentication: what SPF, DKIM, and DMARC each do, why all three are needed, and how to roll out a DMARC policy that actually blocks spoofed mail.
Verify the fix in 30 seconds
Run a Scorifya scan on the affected host after deploy. The same finding id (dns_spf_missing) clears once the externally-observable signal is in place.