What is SPF?
SPF (Sender Policy Framework) is an email authentication protocol defined in RFC 7208. It works by publishing a DNS TXT record under your domain listing every IP address or hostname allowed to send mail "from" that domain. When a receiving mail server gets a message claiming to be from you, it queries your DNS to verify whether the sending server's IP is on your approved list.
Without SPF, anyone can forge the return-path (envelope From) of an email and make it appear to come from your domain — a technique commonly used in phishing and spam campaigns.
Why do you need SPF?
1Prevents spoofing
Stops bad actors forging your domain as the sending address
2Improves deliverability
Receiving servers trust authorized senders and reduce spam scores
3Required for DMARC
SPF is one of two mechanisms DMARC relies on for alignment
4Reputation protection
Unauthorized senders can't damage your domain's sending reputation
How SPF works — step by step
You publish a TXT record at `_your-domain.com` listing authorized IPs and includes.
Your mail server sends an email; the envelope "From" address carries your domain.
The receiving server extracts the sending IP and the envelope From domain.
It queries your DNS for the SPF record and checks if the sending IP is listed.
Result is `pass`, `fail`, `softfail`, `neutral`, or `permerror` — used in spam filtering decisions.
SPF record syntax
v=spf1 ip4:203.0.113.10 include:_spf.google.com include:sendgrid.net -allMechanism breakdown
v=spf1— version, always firstip4:— authorize an IPv4 address/rangeip6:— authorize an IPv6 address/rangeinclude:— inherit another domain's SPFa— authorize the domain's A record IPmx— authorize the domain's MX serversredirect=— delegate to another domain's full SPFQualifiers (prefix each mechanism)
+ (default)Pass — authorized-Fail — reject unauthorized senders~SoftFail — mark as suspicious, don't reject?Neutral — no assertionCommon SPF failures and fixes
Too many DNS lookups
Flatten your SPF record by replacing includes with raw IPs, or use an SPF flattening service
Missing a sending service
Add the service's include: tag (e.g. Mailchimp, Zendesk) to your SPF record
Multiple SPF records
Only ONE TXT record with v=spf1 is allowed — merge them into a single record
Forwarded emails
SPF breaks on forwarding because the forwarding server's IP isn't in your list — DKIM solves this
Frequently Asked Questions
An SPF (Sender Policy Framework) record is a TXT entry in your DNS that lists all IP addresses and domains authorized to send email on your behalf. By defining your authorized senders, you prevent spammers from using your domain for phishing, which protects your domain's reputation and ensures your legitimate emails reach the inbox.
SPF records have a strict limit of 10 DNS lookups to prevent 'denial of service' attacks on DNS servers. Every 'include', 'a', 'mx', 'ptr', and 'exists' mechanism counts toward this limit. If you exceed 10, your SPF record will fail (PermError). You can avoid this by 'flattening' your record, using IP addresses instead of hostnames, or removing outdated services.
The '~all' mechanism (SoftFail) suggests that if an email fails SPF, it should be accepted but marked as suspicious or moved to spam. The '-all' mechanism (Fail) is a stricter instruction telling servers to reject the email entirely if it doesn't originate from an authorized source. Most experts recommend starting with '~all' and moving to '-all' once your setup is verified.
A 'PermError' (Permanent Error) usually occurs when your SPF record is syntactically incorrect or exceeds the 10-lookup limit. Common syntax errors include having multiple SPF records, using invalid mechanisms, or having typos in IP ranges. Our SPF checker identifies these specific errors so you can fix them immediately.
No, a domain must have exactly one SPF record starting with 'v=spf1'. Having multiple SPF records will cause an automatic failure (PermError) at most receiving servers. If you need to authorize multiple services, you must merge them into a single string of mechanisms within one record.
SPF allows a maximum of 10 DNS lookups, and include mechanisms for providers like Google or SendGrid each add to that count. Reduce them by replacing some includes with direct ip4 or ip6 entries, removing unused senders, or using SPF flattening to consolidate lookups into fewer entries.