What is SPF?

SPF (Sender Policy Framework) is an email authentication method that lets you specify which mail servers are allowed to send email on behalf of your domain. It works by publishing a list of authorised IP addresses and servers in your DNS — and receiving mail servers check this list to verify if an email really came from where it claims.

In simple terms: SPF is like a guest list for your domain’s email. If a server tries to send email as your domain but isn’t on the list, the receiving server knows something is wrong.

How SPF Works

Here’s what happens step by step when an email is sent from a domain protected by SPF:

1
Your mail server sends an email

A server at IP address 203.0.113.5 sends an email claiming to be from you@example.com.

2
The receiving server looks up your domain’s SPF record

The recipient’s mail server (e.g. Gmail, Outlook) receives the email and checks the DNS records for example.com. It finds the SPF record:
v=spf1 ip4:203.0.113.5 -all

3
It compares the sending server’s IP against the SPF list

The receiving server asks: “Is 203.0.113.5 in the list of IPs that example.com says are allowed to send email?”

4
If it matches → SPF passes

The IP address is in the SPF record, so the check passes. The email is legitimate and gets delivered.

5
If it doesn’t match → SPF fails

If an attacker at IP 198.51.100.9 tries to send email pretending to be example.com, the receiving server sees that IP is not in the SPF record and marks it as a failure. The email may be rejected or flagged as spam.

SPF Check — Visual Overview

Sender IP: 203.0.113.5

Email sent

Receiving Server Checks: Is 203.0.113.5 in the SPF record?

DNS lookup

example.com TXT v=spf1 ip4:203.0.113.5 -all

Match ✓

✅ SPF Pass Email delivered

Attacker IP: 198.51.100.9

198.51.100.9 NOT in SPF → Fail ✗

❌ SPF Fail Email rejected

Anatomy of an SPF Record

An SPF record is a TXT record in your DNS that starts with v=spf1 and lists all the servers allowed to send email for your domain:

v=spf1 ip4:203.0.113.0/24 include:_spf.google.com include:sendgrid.net -all

Let’s break it down:

Part Meaning
v=spf1 SPF version 1 (required, always first)
ip4:203.0.113.0/24 Allow this IPv4 address range to send email
include:_spf.google.com Also allow Google Workspace servers
include:sendgrid.net Also allow SendGrid servers
-all Reject everything else (hard fail)

SPF Mechanisms

SPF records use these mechanisms to define who’s allowed:

Mechanism Example What it does
ip4 ip4:203.0.113.5 Match a specific IPv4 address or range
ip6 ip6:2001:db8::/32 Match a specific IPv6 address or range
include include:_spf.google.com Include another domain’s SPF record (delegates)
a a or a:mail.example.com Match the domain’s A record IP(s)
mx mx Match the domain’s MX record IP(s)
exists exists:%{i}._spf.example.com Match if a DNS A record exists (advanced macro)
redirect redirect=_spf.example.com Use another domain’s SPF record entirely

SPF Qualifiers

Each mechanism can have a qualifier that determines what happens on a match:

+all
Pass — Allow (default if no qualifier). Rarely used with all.
-all
Hard Fail — Reject non-matching senders. Recommended for production.
~all
Soft Fail — Accept but mark as suspicious. Good during initial setup.
?all
Neutral — No opinion. Essentially disables SPF checking.

The 10 DNS Lookup Limit

⚠️ Critical limitation: SPF records are limited to 10 DNS lookups. Each include, a, mx, exists, and redirect counts as a lookup. If your record exceeds 10, SPF will return a permanent error (PermError) and fail for all emails.

This is the most common SPF problem for businesses that use multiple email services. For example:

v=spf1 include:_spf.google.com include:sendgrid.net include:mailchimp.com include:spf.protection.outlook.com include:servers.mcsv.net include:amazonses.com include:zendesk.com include:spf.freshdesk.com a mx -all
❌ This record has ~12+ lookups — it will break!

How to fix it:

  • Remove unused services — audit which includes you actually still use
  • Use ip4/ip6 instead of include — IP mechanisms don’t count toward the limit
  • SPF flattening — resolve includes to their IP addresses (requires maintenance)
  • Use subdomains — send marketing email from mail.example.com with its own SPF record

Common SPF Records by Provider

Service Include
Google Workspace include:_spf.google.com
Microsoft 365 include:spf.protection.outlook.com
SendGrid include:sendgrid.net
Mailchimp include:servers.mcsv.net
Amazon SES include:amazonses.com
Zendesk include:mail.zendesk.com
Freshdesk include:email.freshdesk.com
HubSpot include:spf.hubspot.com
Zoho include:zoho.com

SPF Alone Isn’t Enough

SPF has important limitations:

  • SPF checks the Return-Path, not the From: header — an attacker can pass SPF while spoofing the visible From: address
  • Email forwarding breaks SPF — when email is forwarded, the sending IP changes but the Return-Path stays the same
  • No reporting — SPF doesn’t tell you when checks fail

That’s why you need DKIM (for cryptographic verification) and DMARC (for alignment checking and reporting) alongside SPF.

Check your domain’s email authentication

Use our free Domain Checker to see your current SPF, DKIM, and DMARC records — and find out what needs fixing.

Check Your Domain →

Related Topics

What is DKIM? →
Cryptographic email signing


What is DMARC? →
Ties SPF + DKIM together


SPF vs DKIM vs DMARC →
How they work together