How to fix weak spf on WordPress.org

Steps for WordPress.org

1. SPF is set at your DNS/registrar, not in WordPress itself.
2. Log in to your hosting control panel (cPanel → 'Zone Editor' or 'Email Deliverability') or your external DNS provider.
3. Find the TXT record for @ starting with v=spf1.
4. If you use an SMTP plugin (WP Mail SMTP, Fluent SMTP, Easy WP SMTP) connected to SendGrid, Mailgun, Brevo, etc., include that provider's SPF include value before adding -all.
5. Save and test with an SPF checker.

; Correct SPF TXT record examples:

; Strict (recommended) — unlisted senders are rejected:
v=spf1 include:_spf.google.com include:sendgrid.net -all

; Soft-fail — unlisted senders are flagged but not hard-rejected:
v=spf1 include:_spf.google.com include:sendgrid.net ~all

; If your record uses redirect=, verify the TARGET record also ends in -all:
; v=spf1 redirect=cf3962es._spf._d.mim.ec
; → look up cf3962es._spf._d.mim.ec and confirm it ends in -all or ~all

What is weak spf?

SPF (Sender Policy Framework) is a DNS record on your domain that tells the world's email servers which computers are allowed to send email on your behalf. It works like a guest list at the door — but right now your record has no "turn away everyone not on the list" instruction at the end. That final instruction is called an "all mechanism" and it must end with either `-all` (hardfail: reject unlisted senders outright) or `~all` (softfail: accept but mark as suspicious). Without it, the record is incomplete and receiving mail servers may treat any server in the world as a valid sender for your domain.

An SPF record without a closing `-all` or `~all` gives spammers and phishers a green light to send email that appears to come from your store's domain. Customers receiving fake order confirmations, password resets, or "shipping delay" scams from your domain name will lose trust in your brand — and there is nothing more damaging to an ecommerce business than customers believing your email is fraudulent. Many large email providers (Gmail, Microsoft 365, Yahoo) use SPF alignment as a key spam-filtering signal, meaning your own legitimate marketing and transactional emails are more likely to land in spam if your SPF record is weak or incomplete. Under regulations like GDPR and CAN-SPAM, allowing domain spoofing can also create indirect legal exposure. Fixing this is one of the fastest, highest-impact security improvements you can make.

See the complete Weak spf guide for every platform and the full background.