Skip to main content
Reference SPF RFC 7208

SPF: Sender Policy Framework

SPF lists which servers are authorised to send email on behalf of your domain. Receivers check the inbound IP against your SPF record and accept or flag the message accordingly.

TL;DR

  • 1 Publishes a DNS TXT record on your domain listing authorised sending IPs.
  • 2 Has a hard limit of 10 DNS lookups per record evaluation.
  • 3 Doesn't survive forwarding. DKIM is the partner protocol that does.

Watch

What an SPF record is, how receivers check it, and why the ~all rule matters.

SPF include: chain & the 10-lookup limit
yourdomain.com v=spf1 include:_spf.google.com include:sendgrid.net ~all _spf.google.com include:_netblocks.google.com include:_netblocks2.google.com ... _netblocks.google.com ip4:35.190.247.0/24 ip4:35.191.0.0/16 ... sendgrid.net include:_sm-sendgrid.net include:_spf-1m.sendgrid.com ... _sm-sendgrid.net ip4:167.89.0.0/17 ip4:168.245.0.0/17 ... Each arrow = 1 DNS lookup Limit: 10 total (RFC 7208)

Every include: resolves at receive time. ESPs that nest includes can blow past 10 fast. Flatten with SPF Flattener if you hit the cap.

What it does

SPF answers the question 'is this server allowed to send mail as your domain?' by listing your authorised senders in DNS. Each receiving server resolves your SPF record at receive time and compares the sending IP to the list.

The result is a verdict: pass (IP is in the list), fail (explicitly excluded by -all), softfail (warned but accepted by ~all), or none (no SPF record).

Receivers feed the SPF result into their spam scoring and into DMARC alignment. SPF is the oldest of the three email-auth protocols (introduced 2003) and the easiest to set up.

How it works

  1. 1

    Publish a single TXT record on your domain starting with v=spf1.

  2. 2

    List authorised sources via mechanisms: ip4: for raw IPs, include: for outsourced senders (e.g. include:_spf.google.com for Google Workspace), a/mx for hosts in your A/MX records.

  3. 3

    End with a qualifier on the all mechanism: -all (hard fail), ~all (soft fail), ?all (neutral). Use ~all while you are still discovering senders, then tighten to -all once every legitimate source is listed. -all is the recommended enforcement end state; ~all leaves SPF effectively unenforced because receivers still accept unlisted senders.

  4. 4

    Receivers resolve the record at every inbound message; the result feeds both spam scoring and DMARC alignment.

Example record

yourdomain.com TXT Click to select
v=spf1 include:_spf.google.com include:sendgrid.net ~all

Common pitfalls

  • Hitting the 10-DNS-lookup limit (RFC 7208). Each include: that itself contains include: counts. Use SPF flattening to inline the IPs and stay under.

  • Publishing more than one SPF record per domain. RFC says only the first is honoured; the rest are ignored.

  • Using +all (a permissive qualifier that says 'anyone can send as me'). Equivalent to no SPF at all.

  • Forgetting that SPF breaks on forwarding. A user forwards your mail to gmail; SPF check is now against gmail's server, not yours, and fails. DKIM survives forwarding; SPF doesn't. DMARC handles this with alignment via DKIM.