What is SPF?
SPF (Sender Policy Framework) is an email authentication method that specifies which mail servers are authorized to send email on behalf of your domain. It works by publishing a DNS TXT record that lists approved sending IP addresses and services, allowing receiving mail servers to verify whether incoming email is from a legitimate source.
How SPF Works
When an email is sent, the receiving server:
- Looks up your domain's SPF record in DNS
- Checks if the sending server's IP address is listed
- Returns a pass or fail result based on the match
SPF is one of the two authentication mechanisms that DMARC relies on (the other being DKIM).
SPF Record Format
An SPF record is a DNS TXT record that looks like this:
v=spf1 include:_spf.google.com include:sendgrid.net ip4:192.0.2.1 -all
Breaking Down the Components
| Component | Meaning |
|---|---|
v=spf1 |
SPF version (always spf1) |
include: |
Authorize another domain's SPF record |
ip4: |
Authorize a specific IPv4 address |
ip6: |
Authorize a specific IPv6 address |
a |
Authorize the domain's A record IP |
mx |
Authorize the domain's mail server IPs |
-all |
Fail all other senders (strict) |
~all |
Soft fail other senders (lenient) |
?all |
Neutral on other senders |
SPF Authentication Results
SPF checks can return several results:
- Pass — The sender is authorized
- Fail — The sender is not authorized (with
-all) - SoftFail — The sender is not authorized but shouldn't be rejected (with
~all) - Neutral — No assertion about the sender (with
?all) - None — No SPF record exists
- TempError — Temporary failure (DNS timeout, etc.)
- PermError — Permanent error (invalid SPF record)
SPF Alignment with DMARC
For DMARC purposes, SPF must also be "aligned" — meaning the domain in the SPF check (the Return-Path domain) must match the domain in the "From" header. Alignment can be:
- Strict — Exact domain match required
- Relaxed — Subdomain matches are allowed (default)
Common SPF Mistakes
Too Many DNS Lookups
SPF has a limit of 10 DNS lookups. Each include:, a, mx, and redirect counts as one lookup. Exceeding this limit causes SPF to return a permanent error.
Solution: Use IP addresses directly, flatten includes, or move some senders to subdomains.
Missing Sending Services
Forgetting to include a legitimate sending service causes those emails to fail SPF authentication.
Solution: Audit all services that send email for your domain and include them in your SPF record.
Using +all
The +all mechanism passes all senders, defeating the purpose of SPF entirely.
Solution: Use -all (hard fail) or ~all (soft fail) instead.
SPF Best Practices
- Start with
~all— Use soft fail while testing your configuration - Include all senders — Document every service that sends email for your domain
- Monitor results — Use DMARC reports to identify missing sources
- Stay under 10 lookups — Optimize your record to avoid the DNS lookup limit
- Move to
-all— Once confident, switch to hard fail for maximum protection
Common Service SPF Includes
| Service | Include Statement |
|---|---|
| Google Workspace | include:_spf.google.com |
| Microsoft 365 | include:spf.protection.outlook.com |
| SendGrid | include:sendgrid.net |
| Mailchimp | include:servers.mcsv.net |
| Amazon SES | include:amazonses.com |
| Salesforce | include:_spf.salesforce.com |
Next Steps
- Learn about DKIM, the other authentication mechanism DMARC uses
- Understand how alignment modes affect SPF and DMARC
- Troubleshoot problems with our Common SPF Issues guide
- Check your SPF record with our free SPF Checker