What does SPF stand for?

SPF stands for Sender Policy Framework. It is an email authentication protocol that allows domain owners to specify which mail servers are authorized to send email on behalf of their domain.

Where do I add my SPF record?

SPF records are added to your domain's DNS as a TXT record. You add them through your domain registrar or DNS hosting provider's control panel.

Can I have multiple SPF records?

No, you should only have one SPF record per domain. Multiple SPF records cause authentication failures. If you need to authorize multiple sending sources, combine them into a single SPF record.

What is the SPF 10 DNS lookup limit?

SPF allows a maximum of 10 DNS lookups when evaluating your record. Each include, a, mx, ptr, and redirect mechanism counts as a lookup. Exceeding this limit causes SPF to fail with a permerror result.

What Is SPF and How Do I Set It Up?

Email authentication starts with SPF. When Gmail, Yahoo, or Outlook receives an email claiming to be from your domain, the first thing they check is whether the sending server is authorized. SPF provides that authorization list.

We help organizations implement SPF correctly every day, and we consistently see the same issues. This guide covers what SPF actually does, how to build a proper record, and how to avoid the mistakes that cause authentication failures.

How SPF Works

When a receiving mail server gets a message, it looks at two pieces of information: the domain in the Return-Path (envelope sender) and the IP address of the server that delivered the message. SPF verification compares the sending IP against the list of authorized IPs published in the sending domain's DNS.

The process follows these steps:

Receiving server extracts the domain from the Return-Path header
Server queries DNS for the TXT record containing the SPF policy
Server checks if the sending IP matches any authorized source in the record
Server returns a result: pass, fail, softfail, neutral, or permerror

Only a "pass" result confirms that the sender is authorized. Any other result indicates a potential problem with either the message's legitimacy or your SPF configuration.

SPF Record Syntax

An SPF record is a TXT record published at your domain's root. Every SPF record starts with a version declaration and ends with a default policy for unlisted senders.

Basic Structure

v=spf1 [mechanisms] [qualifier]all

The v=spf1 prefix identifies this as an SPF record (version 1 is the only version). The mechanisms in the middle define authorized senders. The all at the end specifies what happens when a sender does not match any mechanism.

Common Mechanisms

ip4: Authorizes a specific IPv4 address or range. Example: ip4:192.0.2.1 or ip4:192.0.2.0/24
ip6: Authorizes a specific IPv6 address or range. Example: ip6:2001:db8::1
include: References another domain's SPF record. Example: include:_spf.google.com
a: Authorizes the IP addresses in your domain's A record
mx: Authorizes the IP addresses of your domain's MX servers

Qualifiers

+ (pass): Authorized sender (default if no qualifier specified)
- (fail): Unauthorized sender, reject the message
~ (softfail): Unauthorized but treat as suspicious rather than rejecting
? (neutral): No assertion about authorization

Building Your SPF Record

Creating an effective SPF record requires identifying all legitimate sources that send email using your domain.

Step 1: Inventory Your Sending Sources

List every system that sends email as your domain:

Your own mail servers
Email service providers for marketing campaigns
Transactional email services
CRM systems that send notifications
Help desk or support ticketing systems
Web applications that send email

Step 2: Gather SPF Include Statements

Each third-party service provides an include statement for their sending infrastructure. Common examples:

include:_spf.google.com       (Google Workspace)
include:amazonses.com         (Amazon SES)
include:spf.protection.outlook.com  (Microsoft 365)

Check your email provider's documentation for their specific SPF include requirement.

Step 3: Construct the Record

Combine your findings into a single record:

v=spf1 ip4:203.0.113.5 include:_spf.google.com include:amazonses.com -all

This record authorizes:

The specific IP address 203.0.113.5 (your mail server)
All servers in Google's SPF record (Google Workspace)
All servers in Amazon SES's SPF record

The -all at the end instructs receivers to reject mail from any other source.

The 10 DNS Lookup Limit

SPF has a hard limit of 10 DNS lookups per evaluation. This limit exists to prevent denial-of-service attacks and excessive DNS traffic. Each of these mechanisms counts as one lookup:

include:
a:
mx:
ptr: (deprecated, avoid using)
redirect=

The ip4: and ip6: mechanisms do not count against this limit because they do not require DNS lookups.

Include Statements Count Recursively

When you use an include statement, any lookups within that included record also count toward your limit. A single include to a service with 3 nested lookups consumes 4 of your 10 allowed lookups.

Staying Under the Limit

When you need to authorize many services:

Use ip4: ranges instead of include statements where possible
Consolidate sending through fewer providers
Use SPF flattening services that resolve includes to IP addresses
Consider using subdomains for different sending purposes

Publishing Your SPF Record

SPF records are published as TXT records in DNS at your domain's root (apex).

DNS Record Details

Record Type: TXT
Host/Name: @ or blank (represents the root domain)
Value: Your complete SPF record
TTL: 3600 seconds (1 hour) is typical

Only One SPF Record Per Domain

A domain must have exactly one SPF record. If you have multiple TXT records containing SPF policies, the lookup returns a permerror and SPF fails entirely. When adding sending sources, modify your existing record rather than creating a new one.

Validating Your SPF Record

After publishing, verify your record works correctly:

Use MXToolbox or similar tools to check your SPF record syntax
Verify the lookup count stays under 10
Send test emails and examine the Authentication-Results header
Check for SPF alignment if you are using DMARC

Look for spf=pass in email headers to confirm proper configuration.

Common SPF Mistakes

Forgetting a Sending Source

The most common issue we see is incomplete SPF records. Marketing adds a new email tool, IT is not informed, and suddenly campaign emails fail SPF. Maintain a central inventory of all email-sending systems and update SPF when anything changes.

Using +all Instead of -all

Never end your SPF record with +all. This authorizes the entire internet to send as your domain, completely defeating the purpose of SPF. Use -all (hard fail) or at minimum ~all (soft fail).

Exceeding the Lookup Limit

Adding too many include statements breaks SPF entirely. Before adding a new service, check your current lookup count. If you are at or near 10, you need to restructure before adding more sources.

Syntax Errors

Missing spaces, typos in mechanism names, or incorrect IP notation cause SPF to fail with a permerror. Always validate your record with an SPF checker before publishing.

SPF and DMARC Alignment

SPF alone verifies the envelope sender (Return-Path), but recipients see the header From address. DMARC requires alignment between these addresses for SPF to contribute to a passing DMARC result.

SPF alignment means the domain in the Return-Path must match (or be a subdomain of) the domain in the visible From header. Without alignment, SPF can pass but DMARC may still fail.

For bulk senders, Gmail and Yahoo require DMARC compliance, which means your SPF must both pass and align correctly.