What is SPF? Sender Policy Framework Explained

SPF Sender Policy Framework

SPF (Sender Policy Framework) is an email authentication protocol that specifies which mail servers are authorized to send email on behalf of your domain. It's the first line of defense against email spoofing and a requirement for proper email deliverability.

Think of SPF as a guest list for your domain. When an email claims to be from you, receiving servers check this list to verify the sending server has permission to use your domain name.

What is SPF?

SPF stands for Sender Policy Framework. It works by publishing a DNS record that lists all IP addresses and services authorized to send email for your domain.

When someone receives an email claiming to be from @yourdomain.com, their mail server:

  1. Looks up your domain's SPF record in DNS
  2. Checks if the sending server's IP address is on the authorized list
  3. Passes or fails the email based on this check

Why SPF Matters

Preventing Spoofing

Without SPF, anyone can send email claiming to be from your domain. Spammers and phishers regularly exploit this to:

  • Send scam emails appearing to come from trusted brands
  • Impersonate companies in phishing attacks
  • Damage domain reputation through spam complaints

SPF makes this significantly harder by allowing receiving servers to verify sender authorization.

Improving Deliverability

Email providers use SPF as a key trust signal:

  • Emails passing SPF are more likely to reach the inbox
  • SPF helps establish sender reputation
  • Google and Yahoo require SPF for all senders

Foundation for DMARC

SPF is one of two protocols (along with DKIM) that DMARC builds upon. You need SPF configured correctly for DMARC to work.

How SPF Works

The SPF Record

An SPF record is a TXT record in your domain's DNS that specifies authorized senders. Here's an example:

v=spf1 include:_spf.google.com include:servers.mcsv.net ip4:203.0.113.1 -all

SPF Check Process

  1. Email is sent from a mail server to a recipient
  2. Recipient's server extracts the domain from the MAIL FROM (envelope sender)
  3. Server queries DNS for the SPF record of that domain
  4. Server evaluates SPF mechanisms against the sending IP
  5. Result is Pass, Fail, SoftFail, Neutral, or error

SPF Record Syntax

SPF records consist of mechanisms and modifiers that define authorization rules.

Common Mechanisms

Mechanism Description Example
ip4: Authorize an IPv4 address or range ip4:192.168.1.1
ip6: Authorize an IPv6 address or range ip6:2001:db8::/32
include: Include another domain's SPF record include:_spf.google.com
a Authorize the domain's A record IP a
mx Authorize the domain's MX servers mx
all Match all (used at end with qualifier) -all

Qualifiers

Each mechanism can have a qualifier that determines the result:

Qualifier Meaning Result
+ (default) Pass IP is authorized
- Fail IP is explicitly not authorized
~ SoftFail IP is probably not authorized
? Neutral No statement about authorization

Example Records Explained

Basic Google Workspace:

v=spf1 include:_spf.google.com ~all

Authorizes Google's servers, soft fail for others.

Multiple services:

v=spf1 include:_spf.google.com include:servers.mcsv.net include:sendgrid.net -all

Authorizes Google, Mailchimp, and SendGrid. Hard fail for others.

With specific IPs:

v=spf1 ip4:203.0.113.0/24 include:_spf.google.com -all

Authorizes an IP range plus Google's servers.

The 10 DNS Lookup Limit

SPF has a critical limitation: records can trigger a maximum of 10 DNS lookups. This includes:

  • Each include: mechanism (1 lookup, plus any lookups in the included record)
  • Each a or mx mechanism (1 lookup each)
  • Each redirect= modifier

If your SPF record exceeds 10 lookups, it returns a permanent error (PermError) and SPF fails.

Counting Lookups Example

v=spf1 include:_spf.google.com include:servers.mcsv.net include:sendgrid.net mx -all

  • include:_spf.google.com = 1 + (Google's nested includes, typically 2-3)
  • include:servers.mcsv.net = 1 + (Mailchimp's nested includes)
  • include:sendgrid.net = 1 + (SendGrid's nested includes)
  • mx = 1

This can quickly exceed 10 lookups.

Solutions for Too Many Lookups

  • SPF flattening: Replace includes with their resolved IP addresses
  • Remove unused services: Audit which services actually send email
  • Use subdomains: Different SPF records for different sending services

SPF Softfail vs Hardfail

The all mechanism at the end determines how unauthorized senders are treated:

~all (Softfail)

  • Emails from unauthorized IPs are marked as suspicious
  • Usually still delivered but may go to spam
  • Good for testing or when not 100% sure of all senders

-all (Hardfail)

  • Emails from unauthorized IPs should be rejected
  • Stronger protection against spoofing
  • Use after confirming all legitimate senders are included

Recommendation: Start with ~all while testing, then move to -all once confident.

SPF Limitations

Only Checks Envelope Sender

SPF validates the MAIL FROM address (envelope sender), not the From header that users see. Attackers can exploit this gap—which is why DMARC alignment checking is necessary.

Breaks with Forwarding

When email is forwarded, the forwarding server's IP isn't in the original domain's SPF record, causing failures. This is partially addressed by SRS (Sender Rewriting Scheme) and ARC.

10 Lookup Limit

Complex organizations with many email services can easily exceed this limit, requiring careful management.

Creating Your SPF Record

  1. Inventory all email sources: List every service that sends email for your domain
  2. Gather SPF includes: Each service provides their include statement
  3. Build the record: Combine them, starting with v=spf1 and ending with -all or ~all
  4. Verify lookup count: Use an SPF checker to ensure you're under 10 lookups
  5. Publish in DNS: Add as a TXT record for your domain (not a subdomain)
  6. Test: Send test emails and verify SPF passes

Common SPF Mistakes

Multiple SPF Records

A domain can only have ONE SPF record. Multiple records cause failures. If you need to add senders, modify the existing record.

Forgetting Services

Common forgotten email sources:

  • CRM systems (Salesforce, HubSpot)
  • Helpdesk software (Zendesk, Freshdesk)
  • Marketing platforms (Mailchimp, Klaviyo)
  • Transactional email (SendGrid, Mailgun)
  • Web forms that send notifications

Using +all

Never use +all—it authorizes everyone to send as your domain, defeating the purpose of SPF.

SPF and Other Protocols

SPF is most effective as part of a complete email authentication strategy:

  • SPF: Authorizes sending servers
  • DKIM: Cryptographically signs messages
  • DMARC: Enforces policy and alignment

For a complete overview, see our Email Authentication Complete Guide.

Summary

SPF provides:

  • Authorization: Specifies which servers can send for your domain
  • Protection: Helps receiving servers detect spoofing
  • Deliverability: Essential for reaching the inbox
  • Foundation: Required for DMARC to function

While SPF alone isn't enough to fully protect your domain, it's an essential first step in email authentication that every domain should implement.

0 comments

Leave a comment

Please note, comments need to be approved before they are published.