SEOLZ

Weak spf

Quick win

Add a hard-fail (-all) or soft-fail (~all) mechanism to your SPF DNS record so that mail servers are explicitly told to reject or flag email from senders not listed in your record.

What it is

SPF (Sender Policy Framework) is a DNS record on your domain that tells the world's email servers which computers are allowed to send email on your behalf. It works like a guest list at the door — but right now your record has no "turn away everyone not on the list" instruction at the end. That final instruction is called an "all mechanism" and it must end with either `-all` (hardfail: reject unlisted senders outright) or `~all` (softfail: accept but mark as suspicious). Without it, the record is incomplete and receiving mail servers may treat any server in the world as a valid sender for your domain.

Why it matters

An SPF record without a closing `-all` or `~all` gives spammers and phishers a green light to send email that appears to come from your store's domain. Customers receiving fake order confirmations, password resets, or "shipping delay" scams from your domain name will lose trust in your brand — and there is nothing more damaging to an ecommerce business than customers believing your email is fraudulent. Many large email providers (Gmail, Microsoft 365, Yahoo) use SPF alignment as a key spam-filtering signal, meaning your own legitimate marketing and transactional emails are more likely to land in spam if your SPF record is weak or incomplete. Under regulations like GDPR and CAN-SPAM, allowing domain spoofing can also create indirect legal exposure. Fixing this is one of the fastest, highest-impact security improvements you can make.

How to fix it

  1. Log in to your DNS provider (the registrar or DNS host where your domain's DNS records are managed — e.g. GoDaddy, Cloudflare, Namecheap, Route 53).
  2. Find the TXT record for your root domain (@) that starts with v=spf1. There should be exactly one SPF record per domain.
  3. Read the existing record carefully. If it uses a redirect= modifier (e.g. v=spf1 redirect=something._spf.example.com), check whether the target record itself ends in -all or ~all — if it does, your record inherits that policy and may already be covered; if not, you need to add the all mechanism.
  4. If the record does NOT use redirect=, append -all (recommended for strictest protection) or ~all (softer option, better for domains in transition) to the very end of the record value, separated by a space. Example: v=spf1 include:_spf.google.com include:sendgrid.net -all
  5. Save the record and allow up to 48 hours for DNS propagation (usually much faster).
  6. Verify the fix using a free SPF-checking tool (search 'SPF record checker') by entering your domain and confirming the record ends with -all or ~all and returns a valid result.
; Correct SPF TXT record examples:

; Strict (recommended) — unlisted senders are rejected:
v=spf1 include:_spf.google.com include:sendgrid.net -all

; Soft-fail — unlisted senders are flagged but not hard-rejected:
v=spf1 include:_spf.google.com include:sendgrid.net ~all

; If your record uses redirect=, verify the TARGET record also ends in -all:
; v=spf1 redirect=cf3962es._spf._d.mim.ec
; → look up cf3962es._spf._d.mim.ec and confirm it ends in -all or ~all

Fix it on your platform

Pick your platform for the exact steps.

How to fix weak spf on Shopify
  1. SPF is a DNS record — it is NOT set inside Shopify's admin. You must edit it at the DNS provider where your domain's nameservers are hosted.
  2. If you bought your domain through Shopify: go to Shopify Admin → Settings → Domains → click your domain → click 'Manage' → 'DNS Settings'. Find the TXT record starting with v=spf1 and edit it to end with -all or ~all.
  3. If your domain is hosted elsewhere (GoDaddy, Namecheap, Cloudflare, etc.): log in to that provider's DNS management panel, find the TXT record for @ (root domain) starting with v=spf1, and add -all or ~all at the end.
  4. Shopify's email sending (order confirmations, etc.) uses its own SPF infrastructure — confirm you have 'include:shops.shopify.com' or 'include:myshopify.com' in your record before closing with -all.
Full Shopify guide →Official Shopify docs ↗
How to fix weak spf on WooCommerce
  1. SPF is a DNS record controlled at your domain registrar or DNS host, not inside WordPress or WooCommerce.
  2. Log in to your hosting control panel (cPanel, Plesk) or DNS provider. Look for a 'DNS Zone Editor' or 'DNS Management' section.
  3. Find the TXT record for your root domain (@) starting with v=spf1.
  4. If you send transactional email via an SMTP plugin (e.g. WP Mail SMTP with SendGrid, Mailgun, Brevo), ensure that provider's include: statement is present, then add -all at the end.
  5. Example final record: v=spf1 include:sendgrid.net include:_spf.google.com -all
Full WooCommerce guide →Official WooCommerce docs ↗
How to fix weak spf on BigCommerce
  1. SPF is managed at your DNS provider, not inside BigCommerce's control panel.
  2. Log in to your domain registrar or DNS host (e.g. Cloudflare, GoDaddy).
  3. Locate the TXT record for @ starting with v=spf1.
  4. BigCommerce sends transactional email through its own infrastructure — check BigCommerce's official documentation for the current SPF include value to add, then close the record with -all.
  5. Save and verify propagation with an SPF checker tool.
Full BigCommerce guide →Official BigCommerce docs ↗
How to fix weak spf on Wix
  1. If your domain is connected through Wix: go to Wix Dashboard → Domains → click your domain → 'Advanced' → 'Manage DNS Records'.
  2. Find the TXT record with v=spf1 (Wix may have auto-generated one for Wix Email/Google Workspace).
  3. Edit the record to add -all or ~all at the end of the value. If Wix created a redirect= record, check whether the target record ends in -all; if not, you may need to replace it with a full inline record.
  4. If your domain is pointed to Wix but DNS is managed externally (e.g. Cloudflare), log in there instead and edit the TXT record.
  5. Save and allow up to 48 hours for propagation.
Full Wix guide →Official Wix docs ↗
How to fix weak spf on Squarespace
  1. Go to Squarespace Dashboard → Settings (or Domains panel) → Domains → click your domain → 'DNS Settings'.
  2. Scroll to the TXT records section. Find the record starting with v=spf1.
  3. Click the edit (pencil) icon and append -all or ~all to the end of the record value.
  4. If you use Google Workspace through Squarespace, ensure 'include:_spf.google.com' is present before the closing -all.
  5. Click Save. Verify with an external SPF checker.
Full Squarespace guide →Official Squarespace docs ↗
How to fix weak spf on Webflow
  1. Webflow hosts sites but does not manage email sending infrastructure, so SPF must be set at your DNS provider.
  2. If your DNS is managed inside Webflow: go to Webflow Dashboard → your project → Publishing → Custom Domain → DNS Settings. Add or edit the TXT record for @ with v=spf1 ... -all.
  3. If you use an external DNS provider (Cloudflare, Route 53, GoDaddy), log in there and edit the TXT record for your root domain.
  4. Include any transactional email services you use (e.g. Postmark, SendGrid) before closing with -all.
Full Webflow guide →Official Webflow docs ↗
How to fix weak spf on Adobe Commerce (Magento)
  1. SPF is a DNS record — it is managed at your DNS/registrar provider, not inside Adobe Commerce's admin panel.
  2. Log in to your DNS provider or hosting control panel (cPanel/Plesk DNS Zone Editor).
  3. Find the TXT record for @ (root domain) starting with v=spf1.
  4. Adobe Commerce typically sends email via your server's mail agent (Sendmail/Postfix) or a third-party SMTP service configured under Stores → Configuration → Advanced → System → Mail Sending Settings. Ensure the sending IP/service is included in the SPF record before appending -all.
  5. Example: v=spf1 ip4:YOUR.SERVER.IP include:sendgrid.net -all
  6. Save the record and confirm with an SPF lookup tool.
Full Adobe Commerce (Magento) guide →Official Adobe Commerce (Magento) docs ↗
How to fix weak spf on WordPress.org
  1. SPF is set at your DNS/registrar, not in WordPress itself.
  2. Log in to your hosting control panel (cPanel → 'Zone Editor' or 'Email Deliverability') or your external DNS provider.
  3. Find the TXT record for @ starting with v=spf1.
  4. If you use an SMTP plugin (WP Mail SMTP, Fluent SMTP, Easy WP SMTP) connected to SendGrid, Mailgun, Brevo, etc., include that provider's SPF include value before adding -all.
  5. Save and test with an SPF checker.
Full WordPress.org guide →Official WordPress.org docs ↗
How to fix weak spf on PrestaShop
  1. PrestaShop does not manage DNS. Log in to your domain registrar or hosting DNS panel.
  2. Find the TXT record for your root domain (@) starting with v=spf1.
  3. If you send email via your server's native PHP mail or a configured SMTP (set in PrestaShop Back Office → Advanced Parameters → Email), ensure the sending server IP or SMTP relay's include: entry is present.
  4. Append -all to the end of the record and save.
Full PrestaShop guide →Official PrestaShop docs ↗
How to fix weak spf on OpenCart
  1. OpenCart does not manage DNS. Edit SPF at your registrar or hosting DNS panel (e.g. cPanel Zone Editor).
  2. Identify what mail service OpenCart is configured to use: Admin → System → Settings → Mail tab. Include that service's SPF include value in your record.
  3. Append -all at the end and save.
Full OpenCart guide →Official OpenCart docs ↗

Does your site have this issue?

Run a free SEOLZ audit to find weak spf — and every other issue — across your whole site in minutes.

Scan my site free

Frequently asked questions

What is Weak spf?

SPF (Sender Policy Framework) is a DNS record on your domain that tells the world's email servers which computers are allowed to send email on your behalf. It works like a guest list at the door — but right now your record has no "turn away everyone not on the list" instruction at the end. That final instruction is called an "all mechanism" and it must end with either `-all` (hardfail: reject unlisted senders outright) or `~all` (softfail: accept but mark as suspicious). Without it, the record is incomplete and receiving mail servers may treat any server in the world as a valid sender for your domain.

Why does weak spf matter?

An SPF record without a closing `-all` or `~all` gives spammers and phishers a green light to send email that appears to come from your store's domain. Customers receiving fake order confirmations, password resets, or "shipping delay" scams from your domain name will lose trust in your brand — and there is nothing more damaging to an ecommerce business than customers believing your email is fraudulent. Many large email providers (Gmail, Microsoft 365, Yahoo) use SPF alignment as a key spam-filtering signal, meaning your own legitimate marketing and transactional emails are more likely to land in spam if your SPF record is weak or incomplete. Under regulations like GDPR and CAN-SPAM, allowing domain spoofing can also create indirect legal exposure. Fixing this is one of the fastest, highest-impact security improvements you can make.

How do I fix weak spf?

Add a hard-fail (-all) or soft-fail (~all) mechanism to your SPF DNS record so that mail servers are explicitly told to reject or flag email from senders not listed in your record.

Authoritative references

Related Security (OWASP) issues