What Is SPF (Sender Policy Framework)?

Q: What does an SPF record look like?

An SPF record is a DNS TXT record that starts with 'v=spf1' followed by mechanisms like 'include:', 'ip4:', 'a', and ends with an 'all' qualifier. Example: v=spf1 include:_spf.google.com ip4:203.0.113.0/24 -all

SPF is an email authentication protocol that lets domain owners specify which mail servers are authorized to send email on their behalf.

How SPF Works

SPF works through a simple DNS-based mechanism. The domain owner publishes a TXT record in DNS that lists all IP addresses and mail servers authorized to send email for that domain. When a receiving mail server gets an email, it extracts the domain from the envelope sender (Return-Path) and queries DNS for the SPF record. It then checks whether the sending server's IP address matches any of the authorized sources listed in the record.

If the IP matches, the SPF check passes. If it does not match, the result depends on the qualifier at the end of the record: -all (hard fail), ~all (soft fail), or ?all (neutral).

Why SPF Matters

Without SPF, anyone can send email pretending to be from your domain. SPF gives receiving servers a way to verify that the sending server is legitimate. It is one of the three core email authentication protocols (alongside DKIM and DMARC) and is required by major inbox providers like Google and Yahoo for bulk senders.

Limitations of SPF

SPF has two notable limitations. First, it only checks the envelope sender (Return-Path), not the visible From header that users see in their inbox. An attacker can pass SPF with their own domain while spoofing your domain in the From field. Second, SPF breaks during email forwarding because the forwarding server's IP is not in the original domain's SPF record. These limitations are why DKIM and DMARC are also needed.

Frequently Asked Questions

What does an SPF record look like?

An SPF record is a DNS TXT record that starts with v=spf1 followed by mechanisms like include:, ip4:, and ends with an all qualifier. For example: v=spf1 include:_spf.google.com ip4:203.0.113.0/24 -all

What happens if I don't have an SPF record?

Without an SPF record, any mail server can claim to send email on behalf of your domain. This makes your domain vulnerable to spoofing and can hurt your email deliverability.

Can I have multiple SPF records?

No. You should only have one SPF record per domain. Multiple SPF records cause a PermError. If you need to authorize multiple senders, combine them into a single record using include: mechanisms.

How SPF Works

If the IP matches, the SPF check passes. If it does not match, the result depends on the qualifier at the end of the record: -all (hard fail), ~all (soft fail), or ?all (neutral).

Why SPF Matters

Limitations of SPF

Frequently Asked Questions

What does an SPF record look like?

What happens if I don't have an SPF record?

Without an SPF record, any mail server can claim to send email on behalf of your domain. This makes your domain vulnerable to spoofing and can hurt your email deliverability.

Can I have multiple SPF records?

No. You should only have one SPF record per domain. Multiple SPF records cause a PermError. If you need to authorize multiple senders, combine them into a single record using include: mechanisms.