SPF: Sender Policy Framework

What it does

SPF answers the question 'is this server allowed to send mail as your domain?' by listing your authorised senders in DNS. Each receiving server resolves your SPF record at receive time and compares the sending IP to the list.

The result is a verdict: pass (IP is in the list), fail (explicitly excluded by -all), softfail (warned but accepted by ~all), or none (no SPF record).

Receivers feed the SPF result into their spam scoring and into DMARC alignment. SPF is the oldest of the three email-auth protocols (introduced 2003) and the easiest to set up.

How it works

1. Publish a single TXT record on your domain starting with v=spf1.
2. List authorised sources via mechanisms: ip4: for raw IPs, include: for outsourced senders (e.g. include:_spf.google.com for Google Workspace), a/mx for hosts in your A/MX records.
3. End with a qualifier on the all mechanism: -all (hard fail), ~all (soft fail), ?all (neutral). Most domains use ~all.
4. Receivers resolve the record at every inbound message; the result feeds both spam scoring and DMARC alignment.

Example record

yourdomain.com TXT

Common pitfalls

• Hitting the 10-DNS-lookup limit (RFC 7208). Each include: that itself contains include: counts. Use SPF flattening to inline the IPs and stay under.
• Publishing more than one SPF record per domain. RFC says only the first is honoured; the rest are ignored.
• Using +all (a permissive qualifier that says 'anyone can send as me'). Equivalent to no SPF at all.
• Forgetting that SPF breaks on forwarding. A user forwards your mail to gmail; SPF check is now against gmail's server, not yours, and fails. DKIM survives forwarding; SPF doesn't. DMARC handles this with alignment via DKIM.

Related tools