Skip to content
DDMARC

What is SPF?

Understand Sender Policy Framework (SPF) and how it authorizes mail servers to send email on behalf of your domain.

What is SPF?

SPF stands for Sender Policy Framework. It is an email authentication protocol that allows domain owners to specify which mail servers are authorized to send email on behalf of their domain. The specification is published as a DNS TXT record.

When a receiving mail server gets a message, it looks up the SPF record for the domain in the MAIL FROM (also called the envelope sender or Return-Path) and checks whether the sending server's IP address is listed as authorized. If the IP is not listed, the check fails.

How Does SPF Work?

The SPF check happens during the SMTP transaction, before the email body is delivered:

  • The sending server connects and announces a MAIL FROM address (e.g., bounce@yourdomain.com).
  • The receiving server extracts the domain (yourdomain.com) and performs a DNS TXT lookup for that domain's SPF record.
  • It evaluates the sending server's IP against the mechanisms in the SPF record.
  • The result — pass, fail, softfail, neutral, or none — is recorded and used by spam filters and DMARC evaluation.

Why is SPF Important?

SPF is one of the foundational email authentication protocols. It directly limits which servers can legitimately claim to send email from your domain, reducing the effectiveness of spam and spoofing campaigns that forge your envelope sender address.

SPF alone is not sufficient — it only authenticates the envelope sender, not the visible From: header. This is why SPF works in conjunction with DKIM and DMARC to provide full protection.

SPF Record Syntax

An SPF record is a DNS TXT record on your domain. A typical record looks like:

v=spf1 include:_spf.google.com include:mxpaw.com ip4:203.0.113.10 -all

Breaking this down:

  • v=spf1 — Required. Identifies this as an SPF record.
  • include:_spf.google.com — Authorizes all IPs in Google's published SPF record (used for Google Workspace).
  • include:mxpaw.com — Authorizes MXPaw's mail servers.
  • ip4:203.0.113.10 — Directly authorizes a specific IPv4 address.
  • -all — Hard fail: any IP not listed should be rejected.

SPF Mechanisms

SPF supports several mechanisms for matching sending IPs:

  • ip4: / ip6: — Match a specific IP address or CIDR range (e.g., ip4:192.168.1.0/24).
  • include: — Delegate to another domain's SPF record. Counts as one DNS lookup.
  • a — Match the A record(s) of the current domain (or a specified domain).
  • mx — Match the MX record(s) of the domain. Authorizes your inbound mail servers to also send outbound.
  • all — Matches everything. Used at the end to define the default result.
  • redirect= — Delegate the entire SPF check to another domain's record.

Qualifiers: ~all vs -all

The all mechanism is always prefixed with a qualifier that defines the result when it matches:

  • +all — Pass. Authorizes any IP. Never use this — it defeats the purpose of SPF.
  • ~all — Softfail. IPs not listed are marked as suspicious but not outright rejected. Used during testing or when you're not sure of all senders.
  • -all — Hard fail. IPs not listed should be rejected. Use this in production once your record is complete.
  • ?all — Neutral. No assertion made. Similar to having no SPF record at all.

For production use, -all is the recommended qualifier once you have confirmed all sending sources are listed.

The 10 DNS Lookup Limit

SPF has a hard limit of 10 DNS lookups during evaluation. Each include:, a, mx, and redirect= mechanism counts as one lookup. ip4: and ip6: do not count.

Exceeding this limit causes a permerror result, which can cause SPF to fail entirely. This is a common problem for organizations that use many third-party email services (CRM, support, transactional email, marketing, etc.).

Common Issues

  • Too many DNS lookups — Each include: statement resolves the referenced domain's SPF record, which may itself include other records. Audit your record with SPF validation tools regularly.
  • SPF flattening — One solution to the lookup limit is to replace include: entries with the resolved IP ranges directly. This requires ongoing maintenance as providers change their IP ranges.
  • Multiple SPF records — A domain can only have one SPF TXT record. If you have two, the SPF check fails with a permerror. Merge them into a single record.
  • Forgetting subdomains — SPF records only apply to the exact domain. If you send from mail.yourdomain.com, that subdomain needs its own SPF record.

Frequently Asked Questions

Does SPF protect the visible From: address?

No. SPF only authenticates the envelope sender (the MAIL FROM / Return-Path address used during SMTP). The visible From: header that recipients see is not checked by SPF. This is why DMARC's alignment requirement is critical — it ties SPF authentication back to the From: domain.

Can I have multiple include: entries in one SPF record?

Yes, but each include: counts toward the 10-lookup limit, and each referenced record may itself use more lookups. Keep track of your total lookup count. Use ip4: / ip6: where possible since they don't use lookups.

What happens if I have no SPF record?

Receiving servers will return a none result for SPF, meaning no assertion can be made. This won't immediately cause your email to be blocked, but it weakens your authentication posture, hurts DMARC enforcement, and may impact deliverability with spam filters.

Related Articles

What is DMARC?

Learn how DMARC protects your domain from email spoofing and phishing attacks with policy-based authentication.

Core Concept

What is DKIM?

Learn how DomainKeys Identified Mail (DKIM) uses cryptographic signatures to verify email authenticity.

Core Concept

SPF vs DKIM: What's the Difference?

Understand the key differences between SPF and DKIM, and why you need both for complete email authentication.

Comparison
Start protecting your domain today

Ready to secure your email?

Start monitoring your DMARC reports today. Free 14-day trial, no credit card required.

Get Started FreeContact Sales