What is SPF?
SPF (Sender Policy Framework) is an email authentication method that allows domain owners to specify which mail servers are authorized to send email on their behalf. Receiving mail servers check SPF records to verify that incoming email from a domain comes from an authorized source.
Why SPF Matters
Without SPF, anyone can send email that appears to come from your domain (spoofing). SPF helps:
- Prevent phishing: Attackers can't easily impersonate your domain
- Improve deliverability: Email providers trust authenticated messages
- Protect reputation: Spoofed spam won't damage your domain's reputation
- Enable DMARC: SPF is a building block for DMARC policies
How SPF Works
1. Domain owner publishes an SPF record (TXT) in DNS
2. Sender's mail server sends an email claiming to be from @example.com
3. Receiver's mail server looks up example.com's SPF record
4. Server checks if the sending IP is authorized
5. Result applied: Pass, fail, softfail, or neutral
SPF Record Syntax
An SPF record is a TXT record with a specific format:
v=spf1 [mechanisms] [qualifier]allExample SPF Records
Basic (single mail server):v=spf1 ip4:203.0.113.50 -allv=spf1 include:_spf.google.com ~allv=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.50 -allSPF Mechanisms
| Mechanism | Description | Example |
|---|---|---|
| ip4 | IPv4 address or range | ip4:203.0.113.0/24 |
| ip6 | IPv6 address or range | ip6:2001:db8::/32 |
| include | Include another domain's SPF | include:_spf.google.com |
| a | Domain's A record IPs | a:mail.example.com |
| mx | Domain's MX server IPs | mx |
| all | Match all (usually last) | -all, ~all, ?all |
Qualifiers
| Qualifier | Result | Meaning |
|---|---|---|
| + (default) | Pass | Authorized sender |
| - | Fail | Unauthorized, reject |
| ~ | SoftFail | Probably unauthorized, accept but flag |
| ? | Neutral | No policy assertion |
SPF Implementation Best Practices
Start with SoftFail
When first implementing SPF, use ~all to avoid rejecting legitimate email:
v=spf1 include:_spf.google.com ~allTransition to Fail
Once confirmed working, switch to -all for strict enforcement:
v=spf1 include:_spf.google.com -allKeep DNS Lookups Under 10
SPF allows maximum 10 DNS lookups (include, a, mx, redirect, exists). Exceeding this limit causes SPF failures.
# Counts as DNS lookups:
include:_spf.google.com # 1 (plus nested includes)
a:mail.example.com # 1
mx # 1
# Does NOT count:
ip4:203.0.113.50 # 0
ip6:2001:db8::1 # 0
Only One SPF Record
Multiple SPF records cause validation failures. Combine all mechanisms in one record:
# Wrong - two SPF records
v=spf1 include:_spf.google.com ~all
v=spf1 include:sendgrid.net ~all
# Correct - combined
v=spf1 include:_spf.google.com include:sendgrid.net ~all
Checking SPF Records
Using dig:dig example.com TXT | grep spfcurl "https://domscan.net/v1/health?domain=example.com"
# Returns hasSPF status
Common SPF Issues
Too Many DNS Lookups
Symptom: SPF permerror
Solution: Flatten includes or use fewer external services
Missing Third-Party Services
Symptom: Legitimate email fails SPF
Solution: Add include/ip4 for all sending services (marketing tools, CRM, etc.)
Overly Permissive SPF
Symptom: Spoofed email passes SPF
Problem: Using +all or including too many services
Solution: Audit and restrict authorized senders
SPF is essential for email authentication but works best combined with DKIM and DMARC for comprehensive protection.