SPF stands for Sender Policy Framework. It is an email authentication method that helps prevent unauthorized servers from sending email on behalf of your domain.
For example, without SPF, someone could send an email pretending to be [email protected] even though the message came from a completely unrelated server. SPF helps receiving mail servers detect when that happens.
SPF works through DNS records. A domain owner publishes a list of approved mail servers, and receiving mail providers check whether incoming messages came from one of those approved systems.
SPF is commonly used alongside DKIM and DMARC as part of modern email security.
How SPF Works
SPF uses a DNS TXT record published on your domain.
When a mail server receives an email, it:
- Looks at the envelope sender address (also called
MAIL FROMor the return-path) - Extracts the sending domain from that address
- Retrieves the SPF
TXTrecord for the domain - Checks whether the sending server's IP address is authorized
If the sending server is listed in the SPF record, the SPF check passes. If not, the check fails.
This process happens automatically in the background whenever an email is received. Most users never see it directly, but mail providers use the result to help decide whether a message is legitimate, suspicious, or spam.
Anatomy of an SPF Record
A typical SPF record looks like this:
v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.50 ~all
Here is what each part means:
| Part | Meaning |
|---|---|
v=spf1 |
Identifies the record as SPF (required) |
include:_spf.google.com |
Authorizes Google's mail servers |
include:sendgrid.net |
Authorizes SendGrid's mail servers |
ip4:203.0.113.50 |
Authorizes a specific IPv4 address |
~all |
Soft fail for any server not listed above |
SPF Qualifiers
SPF qualifiers control how receiving servers should treat matching results.
| Qualifier | Symbol | Meaning |
|---|---|---|
| Pass | + (default) |
Authorized to send email |
| Soft Fail | ~ |
Probably not authorized, but still accept |
| Fail | - |
Not authorized and should be rejected |
| Neutral | ? |
No specific policy |
Most domains start with ~all while testing their configuration. After confirming all legitimate mail systems are included, many administrators switch to -all for stricter enforcement.
Why SPF Matters for Deliverability
Email providers such as Gmail, Outlook, and Yahoo use SPF as one signal when evaluating incoming mail.
A missing or broken SPF record can increase the chances of messages being flagged as spam or rejected entirely. This becomes especially important for:
- Business email
- Newsletters
- Marketing platforms
- Contact forms
- Transactional email
SPF does not guarantee inbox placement by itself, but it plays an important role in overall email reputation and deliverability.
SPF Limitations
SPF is useful, but it has a few important limitations.
SPF Does Not Protect the Visible From: Address
SPF checks the hidden return-path address used during mail delivery. It does not directly verify the visible From: address users see in their inbox.
Because of this, attackers can sometimes spoof the visible sender while still passing SPF under certain conditions.
This limitation is one of the main reasons DMARC was introduced. DMARC helps ensure the visible sender aligns with authenticated domains.
SPF Has a 10 DNS Lookup Limit
SPF evaluation allows a maximum of 10 DNS lookups.
Mechanisms such as include: and redirect= consume DNS lookups. If a record exceeds the limit, SPF evaluation can fail with a permerror.
Large organizations that use many third-party email services often need to simplify or optimize their SPF records to stay within this limit.
Common SPF Mistakes
Here are some of the most common SPF configuration problems:
- Publishing multiple SPF records instead of one combined record
- Forgetting to include third-party email providers
- Exceeding the 10 DNS lookup limit
- Using
-alltoo early and blocking legitimate mail - Leaving unused providers in the SPF record permanently
- Typographical errors in
include:statements or IP addresses
Even small SPF mistakes can affect deliverability or cause legitimate email to fail authentication checks.
Checking Your SPF Record
You can inspect and validate your SPF record using the SPF & DMARC Checker tool.
A good SPF checker should help you:
- View the raw SPF record
- Resolve nested
include:chains - Count DNS lookups
- Detect syntax problems
- Identify missing or invalid entries
Regularly reviewing your SPF configuration can help prevent deliverability issues and reduce the risk of email spoofing.
Conclusion
SPF is one of the foundational pieces of modern email security. It helps receiving mail providers identify which servers are authorized to send email for your domain.
While SPF alone does not stop every type of phishing or spoofing attack, it significantly improves email authentication and deliverability when configured correctly.
Most domains today use SPF together with DKIM and DMARC to build a stronger email security posture and improve trust with receiving mail providers.