SPF (Sender Policy Framework) is an email authentication method that helps prevent spammers from sending emails on behalf of your domain. It works by publishing a DNS record that specifies which mail servers are authorized to send email for your domain.
Why SPF Matters
Without SPF, anyone can send an email claiming to be from your domain. This is called email spoofing, and it's used in phishing attacks and spam. SPF helps:
- Prevent spoofing: Recipients can verify if an email really came from an authorized server
- Improve deliverability: Emails from domains with SPF are more likely to reach the inbox
- Protect reputation: Prevents your domain from being blacklisted due to spoofed spam
- Support DMARC: SPF is required for DMARC email authentication
How SPF Works
When a mail server receives an email, it checks the sender's domain for an SPF record. Here's the process:
- Email arrives claiming to be from
user@yourdomain.com - Receiving server looks up SPF record for
yourdomain.com - Server compares the sending IP against the authorized IPs in the SPF record
- If the IP is authorized: Pass ✓
- If not authorized: Fail ✗ (action depends on your policy)
SPF Record Syntax
An SPF record is a TXT record in your domain's DNS. Here's the basic structure:
v=spf1 [mechanisms] [qualifier]allLet's break down a real example:
v=spf1 ip4:192.0.2.0/24 include:_spf.google.com -all| Part | Meaning |
|---|---|
v=spf1 |
SPF version (always v=spf1) |
ip4:192.0.2.0/24 |
Allow this IP range to send email |
include:_spf.google.com |
Also allow servers in Google's SPF record |
-all |
Reject (hard fail) all other senders |
SPF Mechanisms
| Mechanism | Description | Example |
|---|---|---|
ip4: |
IPv4 address or CIDR range | ip4:192.168.1.1 |
ip6: |
IPv6 address or range | ip6:2001:db8::/32 |
a |
A record of the domain | a:mail.example.com |
mx |
MX records of the domain | mx |
include: |
Include another domain's SPF | include:_spf.google.com |
all |
Match everything (used last) | -all or ~all |
SPF Qualifiers
| Qualifier | Result | Meaning |
|---|---|---|
+ (default) |
Pass | Sender is authorized |
- |
Hard Fail | Sender is NOT authorized (reject) |
~ |
Soft Fail | Probably not authorized (accept but mark) |
? |
Neutral | No assertion made |
Start with ~all (soft fail) while testing, then switch to -all (hard fail) once you've confirmed all legitimate sources are included.
Common SPF Examples
Google Workspace (Gmail)
v=spf1 include:_spf.google.com ~allMicrosoft 365
v=spf1 include:spf.protection.outlook.com -allMultiple Services
v=spf1 include:_spf.google.com include:sendgrid.net ip4:192.0.2.1 -allSPF Limitations
SPF is limited to 10 DNS lookups. Each include:, a:, mx:, and redirect= counts as a lookup. Exceeding this limit causes SPF to fail. Use IP addresses directly when possible to save lookups.
Other limitations:
- SPF checks the envelope sender (MAIL FROM), not the visible "From" header
- SPF breaks when email is forwarded (the forwarding server's IP won't be authorized)
- SPF alone doesn't prevent all spoofing — use it with DKIM and DMARC
Testing Your SPF Record
After setting up SPF, verify it's correct:
# Using dig
dig yourdomain.com TXT | grep spf
# Using nslookup
nslookup -type=txt yourdomain.comOr use our SPF checker tool for a visual analysis with recommendations.