SPF Records Explained: Authorize Your Email Senders
Master SPF (Sender Policy Framework) records to prevent email spoofing. Learn the syntax, common mistakes, and how to configure SPF for multiple sending services.
MailSentinel Team
Author
SPF (Sender Policy Framework) is one of the foundational pillars of email authentication. It tells receiving mail servers which IP addresses and servers are authorized to send email on behalf of your domain.
How SPF Works
When you send an email, the receiving server:
- Looks up your domain's SPF record in DNS
- Checks if the sending server's IP is listed as authorized
- Returns a pass, fail, or neutral result
- Uses this result (along with DKIM and DMARC) to decide what to do with the email
SPF Record Syntax
An SPF record is a TXT record published in your DNS. Here's the anatomy of a typical SPF record:
v=spf1 ip4:192.168.1.1 include:_spf.google.com include:sendgrid.net ~allKey Components
| Mechanism | Description | Example |
|---|---|---|
v=spf1 | Version identifier (required) | v=spf1 |
ip4: | Authorize specific IPv4 address | ip4:192.168.1.1 |
ip6: | Authorize specific IPv6 address | ip6:2001:db8::1 |
include: | Include another domain's SPF | include:_spf.google.com |
a | Authorize IPs from A record | a:mail.example.com |
mx | Authorize mail exchanger IPs | mx |
all | Match all (used at end) | -all or ~all |
Qualifiers
The qualifier prefix determines what happens when a mechanism matches:
| Qualifier | Meaning | Result |
|---|---|---|
+ (default) | Pass | Authorized |
- | Hard fail | Not authorized |
~ | Soft fail | Suspicious, accept but mark |
? | Neutral | No opinion |
Building Your SPF Record
Step 1: Inventory Your Sending Sources
List every service that sends email from your domain:
- Google Workspace:
include:_spf.google.com - Microsoft 365:
include:spf.protection.outlook.com - SendGrid:
include:sendgrid.net - Mailchimp:
include:servers.mcsv.net - Amazon SES:
include:amazonses.com - Salesforce:
include:_spf.salesforce.com
Step 2: Combine Into One Record
v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net -allStep 3: Test Before Publishing
Use tools like MXToolbox or MailSentinel to validate your SPF record before making it live.
The 10 DNS Lookup Limit
This is critical: SPF has a limit of 10 DNS lookups. Each include:, a, mx, and redirect counts as a lookup.
What Counts as a Lookup?
| Mechanism | Lookups |
|---|---|
include: | 1 + nested lookups |
a | 1 |
mx | 1 + 1 per MX record |
redirect | 1 |
ip4: / ip6: | 0 |
Exceeding the Limit
If your SPF record exceeds 10 lookups:
- Authentication fails with "PermError"
- Your emails may be rejected or marked as spam
- The error is silent - you won't get bounce messages
Solutions for Complex SPF Records
1. SPF Flattening
Replace include: mechanisms with the actual IP addresses:
# Before: include:sendgrid.net
# After: ip4:167.89.0.0/16 ip4:208.117.0.0/20⚠️ Warning: Flattened records require maintenance when providers change IPs.
2. Subdomains for Different Services
Use dedicated subdomains for different email types:
mail.example.com→ Transactional emailmarketing.example.com→ Marketing campaignssupport.example.com→ Support tickets
Each subdomain gets its own SPF record with its own 10-lookup budget.
Common SPF Mistakes
1. Multiple SPF Records
You can only have one SPF record per domain. Multiple records cause authentication failures.
# ❌ WRONG - Two separate records
v=spf1 include:_spf.google.com -all
v=spf1 include:sendgrid.net -all
# ✅ CORRECT - Combined into one
v=spf1 include:_spf.google.com include:sendgrid.net -all2. Using +all
Never use +all - it authorizes anyone to send email as your domain:
# ❌ DANGEROUS
v=spf1 include:_spf.google.com +all
# ✅ SAFE
v=spf1 include:_spf.google.com -all3. Forgetting the Version Tag
Every SPF record must start with v=spf1:
# ❌ Invalid
include:_spf.google.com -all
# ✅ Valid
v=spf1 include:_spf.google.com -all4. Not Updating When Adding Services
When you add a new email service, remember to update your SPF record. Use MailSentinel's monitoring to catch unauthorized sending sources.
SPF and DMARC Alignment
For DMARC to pass based on SPF, the domain in the Return-Path (envelope sender) must align with the domain in the From header.
Relaxed Alignment (default): Organizational domains must match
- Return-Path:
bounce@mail.example.com - From:
hello@example.com - Result: ✅ PASS
Strict Alignment: Exact domain match required
- Return-Path:
bounce@mail.example.com - From:
hello@example.com - Result: ❌ FAIL
Configure alignment in your DMARC record:
v=DMARC1; p=reject; aspf=r # Relaxed (default)
v=DMARC1; p=reject; aspf=s # StrictTesting Your SPF Record
Before Publishing
- Use an SPF validator to check syntax
- Count your DNS lookups
- Verify all sending sources are included
After Publishing
Monitor with MailSentinel to:
- Track SPF pass/fail rates
- Identify unauthorized senders
- Get alerts when lookups approach the limit
SPF Best Practices Checklist
- Single SPF record per domain
- Start with
v=spf1 - Include all legitimate sending sources
- End with
-all(hard fail) - Stay under 10 DNS lookups
- Test before publishing
- Monitor continuously with DMARC reports
Conclusion
SPF is essential for email authentication, but it's just one piece of the puzzle. Combined with DKIM and DMARC, SPF helps ensure your emails reach the inbox while protecting your domain from spoofing.
Monitor your SPF records with MailSentinel and get instant alerts when issues arise.