What is an SPF Record?
An SPF record (Sender Policy Framework) is a DNS TXT record that specifies which mail servers and IP addresses are authorized to send email on behalf of a domain. SPF is a critical email authentication mechanism that helps receiving mail servers verify that incoming messages come from legitimate sources, reducing spam and preventing email spoofing attacks.
SPF Record Syntax
Basic Structure
v=spf1 [mechanisms] [qualifier]allCommon Mechanisms
| Mechanism | Purpose | Example |
|---|---|---|
| ip4 | Authorize IPv4 | ip4:192.0.2.0/24 |
| ip6 | Authorize IPv6 | ip6:2001:db8::/32 |
| a | Domain's A record IPs | a:example.com |
| mx | Domain's MX servers | mx |
| include | Include another SPF | include:_spf.google.com |
Qualifiers
- + Pass (default, authorized)
- - Fail (unauthorized, reject)
- ~ SoftFail (mark suspicious)
- ? Neutral (no assertion)
SPF Record Examples
Google Workspace
v=spf1 include:_spf.google.com ~allMultiple Providers
v=spf1 include:_spf.google.com include:sendgrid.net ip4:192.0.2.1 -allSPF Lookup Limits
SPF has a 10-lookup limit:
- Each include, a, mx counts as 1 lookup
- ip4/ip6 do NOT count
- Exceeding causes permanent error
Best Practices
1. Start with ~all, tighten to -all later
2. Stay under 10 DNS lookups
3. Combine with DKIM and DMARC
4. Test before deploying
SPF is essential for email authentication, protecting your domain from being used in spam and phishing attacks.