How to fix weak spf on Adobe Commerce (Magento)

Steps for Adobe Commerce (Magento)

1. SPF is a DNS record — it is managed at your DNS/registrar provider, not inside Adobe Commerce's admin panel.
2. Log in to your DNS provider or hosting control panel (cPanel/Plesk DNS Zone Editor).
3. Find the TXT record for @ (root domain) starting with v=spf1.
4. Adobe Commerce typically sends email via your server's mail agent (Sendmail/Postfix) or a third-party SMTP service configured under Stores → Configuration → Advanced → System → Mail Sending Settings. Ensure the sending IP/service is included in the SPF record before appending -all.
5. Example: v=spf1 ip4:YOUR.SERVER.IP include:sendgrid.net -all
6. Save the record and confirm with an SPF lookup tool.

; Correct SPF TXT record examples:

; Strict (recommended) — unlisted senders are rejected:
v=spf1 include:_spf.google.com include:sendgrid.net -all

; Soft-fail — unlisted senders are flagged but not hard-rejected:
v=spf1 include:_spf.google.com include:sendgrid.net ~all

; If your record uses redirect=, verify the TARGET record also ends in -all:
; v=spf1 redirect=cf3962es._spf._d.mim.ec
; → look up cf3962es._spf._d.mim.ec and confirm it ends in -all or ~all

What is weak spf?

SPF (Sender Policy Framework) is a DNS record on your domain that tells the world's email servers which computers are allowed to send email on your behalf. It works like a guest list at the door — but right now your record has no "turn away everyone not on the list" instruction at the end. That final instruction is called an "all mechanism" and it must end with either `-all` (hardfail: reject unlisted senders outright) or `~all` (softfail: accept but mark as suspicious). Without it, the record is incomplete and receiving mail servers may treat any server in the world as a valid sender for your domain.

An SPF record without a closing `-all` or `~all` gives spammers and phishers a green light to send email that appears to come from your store's domain. Customers receiving fake order confirmations, password resets, or "shipping delay" scams from your domain name will lose trust in your brand — and there is nothing more damaging to an ecommerce business than customers believing your email is fraudulent. Many large email providers (Gmail, Microsoft 365, Yahoo) use SPF alignment as a key spam-filtering signal, meaning your own legitimate marketing and transactional emails are more likely to land in spam if your SPF record is weak or incomplete. Under regulations like GDPR and CAN-SPAM, allowing domain spoofing can also create indirect legal exposure. Fixing this is one of the fastest, highest-impact security improvements you can make.

See the complete Weak spf guide for every platform and the full background.