How do I fix weak spf on Webflow?

Webflow hosts sites but does not manage email sending infrastructure, so SPF must be set at your DNS provider. If your DNS is managed inside Webflow: go to Webflow Dashboard → your project → Publishing → Custom Domain → DNS Settings. Add or edit the TXT record for @ with v=spf1 ... -all. If you use an external DNS provider (Cloudflare, Route 53, GoDaddy), log in there and edit the TXT record for your root domain. Include any transactional email services you use (e.g. Postmark, SendGrid) before closing with -all.

How to fix weak spf on Webflow

Add a hard-fail (-all) or soft-fail (~all) mechanism to your SPF DNS record so that mail servers are explicitly told to reject or flag email from senders not listed in your record.

Steps for Webflow

Webflow hosts sites but does not manage email sending infrastructure, so SPF must be set at your DNS provider.
If your DNS is managed inside Webflow: go to Webflow Dashboard → your project → Publishing → Custom Domain → DNS Settings. Add or edit the TXT record for @ with v=spf1 ... -all.
If you use an external DNS provider (Cloudflare, Route 53, GoDaddy), log in there and edit the TXT record for your root domain.
Include any transactional email services you use (e.g. Postmark, SendGrid) before closing with -all.

Official Webflow documentation ↗

; Correct SPF TXT record examples:

; Strict (recommended) — unlisted senders are rejected:
v=spf1 include:_spf.google.com include:sendgrid.net -all

; Soft-fail — unlisted senders are flagged but not hard-rejected:
v=spf1 include:_spf.google.com include:sendgrid.net ~all

; If your record uses redirect=, verify the TARGET record also ends in -all:
; v=spf1 redirect=cf3962es._spf._d.mim.ec
; → look up cf3962es._spf._d.mim.ec and confirm it ends in -all or ~all

What is weak spf?

SPF (Sender Policy Framework) is a DNS record on your domain that tells the world's email servers which computers are allowed to send email on your behalf. It works like a guest list at the door — but right now your record has no "turn away everyone not on the list" instruction at the end. That final instruction is called an "all mechanism" and it must end with either `-all` (hardfail: reject unlisted senders outright) or `~all` (softfail: accept but mark as suspicious). Without it, the record is incomplete and receiving mail servers may treat any server in the world as a valid sender for your domain.

An SPF record without a closing `-all` or `~all` gives spammers and phishers a green light to send email that appears to come from your store's domain. Customers receiving fake order confirmations, password resets, or "shipping delay" scams from your domain name will lose trust in your brand — and there is nothing more damaging to an ecommerce business than customers believing your email is fraudulent. Many large email providers (Gmail, Microsoft 365, Yahoo) use SPF alignment as a key spam-filtering signal, meaning your own legitimate marketing and transactional emails are more likely to land in spam if your SPF record is weak or incomplete. Under regulations like GDPR and CAN-SPAM, allowing domain spoofing can also create indirect legal exposure. Fixing this is one of the fastest, highest-impact security improvements you can make.

See the complete Weak spf guide for every platform and the full background.

Not sure if your Webflow store has this?

Run a free SEOLZ audit — we’ll find weak spf and every other issue across your whole site.

Scan my site free

How to fix weak spf on Webflow

Steps for Webflow

What is weak spf?

Not sure if your Webflow store has this?

Fix weak spf on another platform