Back to Glossary

What is SPF?

By Mailneo Team|

SPF (Sender Policy Framework) is a DNS-based email authentication method that lets you publish a list of IP addresses and servers authorized to send email on behalf of your domain. Receiving servers check this record to verify that incoming mail actually came from an approved source.

Why It Matters

SPF is one of the three pillars of email authentication (alongside DKIM and DMARC). Without it, anyone can send email pretending to be your domain — and ISPs have no way to tell the difference. Setting up SPF correctly is table stakes for deliverability. Gmail and Yahoo made SPF (or DKIM) mandatory for all bulk senders starting in February 2024. If you skip it, your emails are going to spam.

How It Works

SPF lives in a TXT record in your domain's DNS. When a receiving server gets an email claiming to be from your domain, it looks up your SPF record and checks whether the sending server's IP is listed. Here's what a typical SPF record looks like:

v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.5 -all

Breaking that down:

  • v=spf1 — Identifies this as an SPF record.
  • include: — References another domain's SPF record (useful when you send through third-party services).
  • ip4: — Directly authorizes a specific IP address.
  • -all — Tells receivers to reject (hard fail) any email from IPs not listed. Use ~all for soft fail during initial setup.

Key Limitations

SPF has some well-known limitations you need to understand:

  • 10 DNS lookup limit — Your SPF record can trigger a maximum of 10 DNS lookups (each include: counts as one, and nested includes count too). Exceed this, and your entire SPF record breaks. This is the most common SPF mistake.
  • Forwarding breaks SPF — When someone forwards your email, the forwarding server's IP won't be in your SPF record, causing a fail. DKIM survives forwarding, which is why you need both.
  • Envelope vs. header From — SPF checks the envelope sender (Return-Path), not the visible "From" address. DMARC bridges this gap with alignment checks.

Common Mistakes

  • Publishing multiple SPF records — you can only have one SPF TXT record per domain. Having two causes both to be invalid.
  • Exceeding the 10 DNS lookup limit — use an SPF flattening tool to stay under the limit if you have many third-party senders.
  • Using +all — this literally authorizes every server on the internet to send as your domain. Never do this.
  • Forgetting to add new ESPs — if you switch to a new email provider and don't update your SPF record, all your mail will fail authentication.
  • Not monitoring SPF failures — use DMARC reporting to see who's failing SPF checks on your domain.

Quick Tips

  • Start with ~all (soft fail) while you're setting up, then switch to -all (hard fail) once you've confirmed everything works.
  • Use an SPF record checker tool to validate your record after any change.
  • Audit your SPF record quarterly — remove old services you no longer use to stay under the lookup limit.
  • Always pair SPF with DKIM and DMARC for complete authentication coverage.

Related Terms

DKIM

DomainKeys Identified Mail — a cryptographic signature proving your email hasn't been tampered with.

DMARC

A policy framework that tells mail servers what to do when SPF or DKIM checks fail.

Email Authentication

Protocols like SPF, DKIM, and DMARC that prove your emails are really from you.

DNS Record

Domain Name System entries that control how your domain handles email routing and authentication.

TXT Record

A DNS record type used to store text data, including email authentication settings.

Related Tools & Resources

Free SPF Record Generator

Ready to improve your email deliverability?

Connect your email accounts, automate outreach, and track opens and clicks — without switching between tools.

Get Started Free