Your domain is failing SPF authentication, appearing as spf=none in DMARC reports. This means no SPF record was found, causing DMARC to fail and emails to be quarantined or rejected.

The Fix

Follow these steps in order. Start with the first method and proceed to the next if the error persists.

Method 1: Create a Basic SPF Record

This resolves most spf=none errors. Log into your domain's DNS hosting provider (e.g., Cloudflare, GoDaddy, AWS Route 53) and create a new TXT record.

  • Host/Name: @ (or leave blank for the root domain)
  • TTL: 3600
  • Value/Content: Use the appropriate record for your email service:
  • Microsoft 365: v=spf1 include:spf.protection.outlook.com -all
  • Google Workspace: v=spf1 include:_spf.google.com -all
  • General (with your mail server IP): v=spf1 ip4:YOUR.MAIL.SERVER.IP -all

Save the record. DNS changes can take from 5 minutes to 48 hours to propagate, though 15-60 minutes is typical.

If That Doesn't Work: Check for Multiple SPF Records

Only one SPF TXT record is allowed per domain. Multiple records cause a permerror that often appears as none. Use this command to list all TXT records and delete any duplicate v=spf1 entries:

Resolve-DnsName -Name yourdomain.com -Type TXT

If That Doesn't Work: Validate SPF Syntax and Lookups

A record with syntax errors or too many DNS lookups (over 10) can fail. Use an online SPF validator tool. If you exceed the lookup limit, use an SPF flattening service to consolidate the record.

If That Doesn't Work: Investigate DNS Resolution Issues

A temporary DNS failure (temperror) can appear as none. Ensure your domain's DNS is correctly configured and responding. Check for recent changes at your DNS host.

Verify

After applying the fix and waiting for propagation, confirm the spf=none error is resolved.

  1. Query DNS directly:
Resolve-DnsName -Name yourdomain.com -Type TXT | Where-Object {$_.Strings -like "v=spf1*"}

You should see your single, correct SPF record.

  1. Send a test email to a verification service or a colleague at a different organization and request the authentication headers. The Received-SPF result should now show pass or neutral, not none.
  2. Monitor your DMARC aggregate reports (RUA) over the next 24-48 hours. The spf=none results for your domain should disappear.