Missing spf

Quick win

Add a DNS TXT record containing a valid SPF policy to your domain so email servers can verify that messages sent from your domain are legitimate.

What it is

SPF (Sender Policy Framework) is a DNS record — a single line of text published at your domain's root — that tells the world's email servers which mail-sending services are officially allowed to send email on behalf of your domain. Without it, there is no published list of authorized senders, so receiving mail servers have no way to confirm whether an email claiming to be "from yourstore.com" actually came from you or from an attacker. It is one of the three foundational email-authentication standards (SPF, DKIM, and DMARC) that major inbox providers now require.

Why it matters

Without an SPF record, cybercriminals can send convincing phishing and spoofing emails that appear to come from your store's domain — targeting your customers, suppliers, and staff. Beyond fraud risk, inbox providers like Google and Microsoft use SPF as a key trust signal: missing or broken SPF causes your legitimate order confirmations, shipping updates, and marketing emails to land in spam or be rejected outright, directly harming customer experience and revenue. Google and Yahoo's 2024 bulk-sender requirements made SPF mandatory for deliverability. Failing to publish one is classified as a Security Misconfiguration (OWASP A05:2021) because it leaves your domain's identity unprotected and exploitable.

How to fix it

Identify every service that sends email from your domain — your ecommerce platform's transactional mail, your ESP (e.g. Klaviyo, Mailchimp), Google Workspace or Microsoft 365, and any helpdesk or CRM tools.
Log in to your DNS provider (the registrar or nameserver host where your domain's DNS zone is managed — e.g. GoDaddy, Namecheap, Cloudflare, Route 53).
Create a new DNS TXT record at the domain apex (the bare domain, e.g. yourstore.com — often represented as '@' in DNS UIs) with a TTL of 3600 (1 hour) or your provider's default.
Set the record value to an SPF policy that includes all your authorized senders, for example: v=spf1 include:_spf.google.com include:servers.mcsv.net ~all — replace the include: directives with the exact ones published by each of your sending services, and end with -all (hard fail) for maximum security or ~all (soft fail) while testing.
Verify the record has propagated using a free SPF lookup tool (search 'SPF record checker') and confirm it returns your new policy without errors such as 'too many DNS lookups' (the limit is 10).
Once confirmed working, consider upgrading ~all to -all and then add DKIM and a DMARC policy to complete your email-authentication setup.

; DNS TXT record to add at your domain apex (e.g. yourstore.com)
; Replace the include: values with the ones published by YOUR sending services.

@ 3600 IN TXT "v=spf1 include:_spf.google.com include:sendgrid.net include:shops.shopify.com ~all"

; Key parts:
;   v=spf1               → SPF version (required, always this value)
;   include:…            → Delegate to another provider's SPF list (add one per sending service)
;   ip4:203.0.113.5      → Authorize a specific server IP directly (use only if needed)
;   -all                 → Hard fail: reject mail from any unlisted sender (most secure)
;   ~all                 → Soft fail: accept but mark unlisted senders (use during rollout)

Fix it on your platform

Pick your platform for the exact steps.

How to fix missing spf on Shopify

Shopify does not manage your domain's DNS records directly — you must edit DNS at wherever your domain is registered or hosted (e.g. GoDaddy, Namecheap, Cloudflare).
In your Shopify admin, go to Settings → Domains and note your custom domain and which nameservers it uses (Shopify-managed or external).
If your domain uses Shopify-managed DNS: go to Settings → Domains → click your domain → 'DNS Settings' → click 'Add custom record' → choose TXT → Host: @ → Value: your SPF string (e.g. v=spf1 include:_spf.google.com include:shops.shopify.com ~all) → Save.
If using external DNS (Cloudflare, GoDaddy, etc.), log in to that provider's DNS dashboard and add the TXT record at '@' with your SPF value there.
Shopify's own transactional mail is sent through their infrastructure; if you use Shopify Email or rely on Shopify's default sending, add 'include:shops.shopify.com' to your SPF record.
Verify propagation with an SPF checker tool.

Full Shopify guide →Official Shopify docs ↗

How to fix missing spf on Shopify Plus

Follow the same steps as Shopify above — DNS management location and Shopify-managed vs. external DNS apply identically to Plus merchants.
Shopify Plus merchants using custom transactional email routing (e.g. via SendGrid or Postmark configured in the Plus admin) must also add the include: directive for that provider.
For enterprise setups with a dedicated IP, confirm the exact SPF include string with your email delivery provider and add it to the record.

Full Shopify Plus guide →Official Shopify Plus docs ↗

How to fix missing spf on WooCommerce

WooCommerce runs on WordPress hosted at a provider of your choice; DNS is managed at your domain registrar or hosting control panel (cPanel, Cloudflare, etc.) — not inside WordPress itself.
Log in to your hosting control panel (e.g. cPanel → Zone Editor, or your registrar's DNS manager).
Add a TXT record: Name/Host = @ (or your bare domain), TTL = 3600, Value = your SPF string including your web host's mail server and any ESPs you use (e.g. v=spf1 include:_spf.google.com include:sendgrid.net ~all).
WooCommerce transactional emails are sent by your web host's PHP mail or by a plugin like WP Mail SMTP / FluentSMTP — check which SMTP service that plugin is connected to and include that provider's SPF include: directive.
In WordPress admin, go to the plugin settings (e.g. WP Mail SMTP → Settings → Email tab) to confirm which sending service is in use.
Verify with an SPF checker after a few minutes.

Full WooCommerce guide →Official WooCommerce docs ↗

How to fix missing spf on BigCommerce

BigCommerce does not manage your domain's DNS — you manage it at your registrar or DNS host.
Log in to your DNS provider and add a TXT record at '@' with your SPF value.
BigCommerce sends transactional email through its own infrastructure; add 'include:_spf.bigcommerce.com' to your SPF record (verify the current include tag in BigCommerce's official documentation, as it may update).
If you have connected an external ESP (e.g. Klaviyo, Mailchimp) via BigCommerce's marketing integrations, add that provider's include: directive as well.
In BigCommerce admin, go to Settings → Email Templates to review which addresses send mail, then cross-reference with your sending services.
Verify propagation with a free SPF lookup tool.

Full BigCommerce guide →Official BigCommerce docs ↗

How to fix missing spf on Wix

If your domain is registered through Wix: log in to your Wix account → go to Domains (in the left sidebar of your Wix dashboard) → click 'Manage DNS' next to your domain.
In the DNS manager, scroll to the TXT Records section → click '+ Add Record'.
Host/Name: @ | TTL: 3600 | Value: your full SPF string (e.g. v=spf1 include:_spf.google.com ~all).
Click Save. Note: Wix's own transactional/marketing emails (Wix Ascend, Wix Stores order emails) are sent from Wix infrastructure — Wix automatically publishes SPF for mail sent through their servers, but you still need a record covering any external ESPs you use.
If your domain is registered externally (pointed to Wix via nameservers), add the TXT record at your external DNS provider instead.
Verify with an SPF checker after propagation.

Full Wix guide →Official Wix docs ↗

How to fix missing spf on Squarespace

If your domain is registered through Squarespace: go to your Squarespace account Home → Domains → click your domain → click 'DNS Settings'.
Scroll to 'Custom Records' → click 'Add Record' → Type: TXT → Host: @ → Data: your SPF string → Save.
If your domain is registered externally (you only pointed it to Squarespace), log in to your external registrar's DNS dashboard and add the TXT record there.
Squarespace sends transactional store emails (order confirmations, etc.) via its own mail infrastructure; check Squarespace's current documentation for the correct SPF include tag to add for Squarespace-originated mail.
If you use Google Workspace for your @yourdomain.com business email, add 'include:_spf.google.com' as well.
Verify propagation with a free SPF lookup tool.

Full Squarespace guide →Official Squarespace docs ↗

How to fix missing spf on Webflow

Webflow hosts your site but does not send transactional ecommerce email directly — outbound order emails typically go through a connected ESP or Webflow's built-in system.
DNS for your Webflow site is managed wherever your domain is registered (e.g. Namecheap, GoDaddy, Cloudflare) or via Webflow's Domain settings if you purchased the domain there.
In Webflow Designer/Dashboard: go to Project Settings → Publishing → Custom Domain → 'Edit DNS settings' (if Webflow-registered domain) OR log in to your external DNS provider.
Add a TXT record: Host = @, TTL = 3600, Value = your SPF string covering your email-sending services.
For Webflow Ecommerce transactional emails, check your Webflow project's Ecommerce → Settings → Emails section to see the sending address and which service delivers it, then include that provider's SPF tag.
Verify propagation using an SPF checker.

Full Webflow guide →Official Webflow docs ↗

How to fix missing spf on Adobe Commerce (Magento)

Adobe Commerce (cloud or on-premises) does not manage your DNS — edit records at your registrar or DNS provider (Cloudflare, Route 53, etc.).
Log in to your DNS provider and add a TXT record: Name = @, TTL = 3600, Value = your SPF string.
Adobe Commerce Cloud uses SendGrid for transactional email by default; add 'include:sendgrid.net' to your SPF record. Confirm the current include tag in Adobe Commerce Cloud's official documentation.
For on-premises installations using a custom SMTP relay (configured in Admin → Stores → Configuration → Advanced → System → Mail Sending Settings), add the SPF include for whichever SMTP service you are using.
If you use a third-party email extension (e.g. from Adobe Commerce Marketplace), check that extension's documentation for the correct SPF include directive.
Verify propagation and record correctness with a free SPF lookup tool.

Full Adobe Commerce (Magento) guide →Official Adobe Commerce (Magento) docs ↗

How to fix missing spf on Magento Open Source

DNS is managed at your registrar or hosting provider — not inside Magento.
Log in to your DNS provider and add a TXT record at '@' with your full SPF value.
In Magento admin, go to Stores → Configuration → Advanced → System → Mail Sending Settings to confirm the SMTP host in use, then add that provider's SPF include: directive to your record.
Common setups include a server-local sendmail (add your server's IP as 'ip4:x.x.x.x') or a third-party SMTP relay like SendGrid or Mailgun (use their published include: tag).
Verify propagation with a free SPF lookup tool.

Full Magento Open Source guide →Official Magento Open Source docs ↗

How to fix missing spf on PrestaShop

DNS is managed at your registrar or hosting control panel, not inside PrestaShop.
Add a TXT record at '@' with your SPF value at your DNS provider.
In PrestaShop back office, go to Advanced Parameters → Email to see the outbound mail method (PHP mail vs. SMTP) and the SMTP server configured. Add that provider's SPF include: directive.
Verify propagation with a free SPF lookup tool.

Full PrestaShop guide →Official PrestaShop docs ↗

How to fix missing spf on BigCommerce for WP

BigCommerce for WP is a headless/channel setup; email sending follows BigCommerce's infrastructure. Add 'include:_spf.bigcommerce.com' (verify current tag in BigCommerce docs) to your domain's TXT record at your DNS provider.
WordPress-side emails (admin notifications, password resets) are sent via your host's PHP mail or an SMTP plugin — add that provider's include: tag as well.
Add the TXT record at '@' in your registrar or DNS host dashboard and verify propagation.

Full BigCommerce for WP guide →Official BigCommerce for WP docs ↗

How to fix missing spf on WooCommerce REST API

This is a headless WooCommerce setup; email is still sent by the WordPress/WooCommerce backend via your SMTP configuration.
Identify your SMTP provider in your SMTP plugin settings (e.g. WP Mail SMTP → Settings) and add its SPF include: tag to a TXT record at '@' in your DNS provider.
Verify propagation.

Full WooCommerce REST API guide →Official WooCommerce REST API docs ↗

Does your site have this issue?

Run a free SEOLZ audit to find missing spf — and every other issue — across your whole site in minutes.

Scan my site free

Frequently asked questions

What is Missing spf?

Why does missing spf matter?

How do I fix missing spf?