SPF Validation
Continuous SPF record monitoring with DNS lookup counting and syntax validation.
SPF Validation
MailSentinel continuously monitors your SPF records, validates syntax, counts DNS lookups, and alerts you to potential issues.
What is SPF?
Sender Policy Framework (SPF) specifies which IP addresses and servers are authorized to send email for your domain.
SPF Record Structure
A typical SPF record:
v=spf1 include:_spf.google.com include:sendgrid.net ip4:192.168.1.1 -allMechanisms
| Mechanism | Description | Example |
|---|---|---|
include | Include another domain's SPF | include:_spf.google.com |
ip4 | IPv4 address or range | ip4:192.168.1.0/24 |
ip6 | IPv6 address or range | ip6:2001:db8::/32 |
a | Domain's A record | a:mail.example.com |
mx | Domain's MX records | mx |
all | Match all (end of record) | -all, ~all |
Qualifiers
| Qualifier | Meaning | Action |
|---|---|---|
+ (default) | Pass | Allow |
- | Fail | Reject |
~ | SoftFail | Accept but mark |
? | Neutral | No policy |
MailSentinel SPF Features
DNS Lookup Counting
SPF has a 10 DNS lookup limit. Each include, a, mx, and redirect counts.
MailSentinel tracks your lookups:
| Lookups | Status | Action |
|---|---|---|
| 0-7 | ā Safe | Room for growth |
| 8-9 | ā ļø Warning | Plan optimization |
| 10 | ā At limit | Cannot add more |
| 11+ | š« Invalid | SPF will fail |
Syntax Validation
We check for common errors:
- Invalid mechanisms
- Duplicate entries
- Missing
allmechanism - Incorrect formatting
Flattening Recommendations
When approaching the lookup limit, we recommend:
- Flattening includes to IP ranges
- Removing unused services
- Using subdomains for different services
Monitoring Dashboard
Record Status
View your current SPF record:
- Raw record value
- Parsed mechanisms
- DNS lookup count
- Validation status
Historical Changes
Track changes over time:
- When records were modified
- What changed
- Who made changes (if DNSSEC enabled)
Include Tree
Visualize your SPF include hierarchy:
example.com
āāā include:_spf.google.com (2 lookups)
ā āāā include:_netblocks.google.com
ā āāā include:_netblocks2.google.com
āāā include:sendgrid.net (1 lookup)
āāā include:mailchimp.com (1 lookup)
Common SPF Issues
1. Too Many Lookups
Problem: Exceeding 10 DNS lookups causes SPF to fail.
Solution:
- Flatten includes to IP ranges
- Remove unused services
- Split across subdomains
2. Permissive Policy
Problem: Using +all or ?all provides no protection.
Solution: Use -all (fail) or ~all (softfail) at minimum.
3. Missing Services
Problem: Legitimate service not included, causing failures.
Solution: Add the service's SPF include statement.
4. Duplicate Records
Problem: Multiple SPF records exist (only one allowed).
Solution: Merge into a single record.
Setting Up SPF
Step 1: Inventory Your Senders
List all services sending email:
- Email providers (Google, Microsoft)
- Marketing platforms (Mailchimp, HubSpot)
- Transactional email (SendGrid, Postmark)
- Internal applications
Step 2: Gather Include Statements
Each service provides an SPF include:
| Service | Include |
|---|---|
| Google Workspace | include:_spf.google.com |
| Microsoft 365 | include:spf.protection.outlook.com |
| SendGrid | include:sendgrid.net |
| Mailchimp | include:servers.mcsv.net |
| Amazon SES | include:amazonses.com |
Step 3: Build Your Record
Combine your includes:
v=spf1 include:_spf.google.com include:sendgrid.net -allStep 4: Publish and Monitor
- Add the TXT record to your DNS
- Verify in MailSentinel
- Monitor for failures
Alerts
MailSentinel alerts you when:
- DNS lookup count increases
- Record becomes invalid
- New failures detected
- Record is modified
SPF Record Best Practices
1. Use -all for Production
Always end with -all (fail) in production:
v=spf1 include:_spf.google.com -allUse ~all (softfail) only during testing or transition periods.
2. Monitor DNS Lookup Count
Keep lookups under 10:
- Count each
include,a,mx,redirect - Use MailSentinel to track current count
- Plan ahead before adding new services
3. Document Your Sources
Maintain a list of:
- All sending services
- Their SPF includes
- IP addresses used
- When added/removed
4. Regular Audits
Review quarterly:
- Remove unused services
- Add new services
- Check lookup count
- Verify alignment
5. Test Before Changes
- Use SPF testing tools
- Send test emails
- Check DMARC reports
- Monitor for failures
Common SPF Service Includes
Quick reference for popular services:
| Service | SPF Include |
|---|---|
| Google Workspace | include:_spf.google.com |
| Microsoft 365 | include:spf.protection.outlook.com |
| SendGrid | include:sendgrid.net |
| Mailchimp | include:servers.mcsv.net |
| Amazon SES | include:amazonses.com |
| Postmark | include:spf.postmarkapp.com |
| Mandrill | include:spf.mandrillapp.com |
| Constant Contact | include:spf.constantcontact.com |
| HubSpot | include:_spf.hubspot.com |
| Salesforce | include:_spf.salesforce.com |
| Zendesk | include:mail.zendesk.com |
SPF Alignment for DMARC
For DMARC to pass, SPF must align:
Relaxed Alignment (Recommended):
- Envelope sender:
bounce@mail.yourdomain.com - From: domain:
yourdomain.com - ā Passes (subdomain alignment)
Strict Alignment:
- Envelope sender:
bounce@yourdomain.com - From: domain:
yourdomain.com - ā Passes (exact match)
Misalignment:
- Envelope sender:
bounce@otherdomain.com - From: domain:
yourdomain.com - ā Fails DMARC
Next Steps
- DKIM Configuration - Add email signatures
- DMARC Setup - Configure policy
- Alert Configuration - Set up notifications
- SPF Setup Guide - Complete SPF configuration
- Email Delivery Troubleshooting - Fix delivery issues