SPF Records: Complete Guide

Sender Policy Framework (SPF) is an email authentication method that helps prevent email spoofing. By properly configuring SPF records, you tell receiving mail servers which servers are authorized to send email on behalf of your domain.

What is SPF?

SPF (Sender Policy Framework) is a DNS TXT record that specifies which mail servers are permitted to send email for your domain. When a receiving mail server gets an email claiming to be from your domain, it checks your SPF record to verify the sender is authorized.

How SPF Works

1. Email sent: Someone sends an email from user@yourdomain.com
2. Receiving server checks: The destination mail server queries DNS for your SPF record
3. Verification: The server compares the sender’s IP address with your SPF record
4. Result: Email is accepted, marked as spam, or rejected based on SPF result

Why SPF is Important

• Prevents spoofing: Makes it harder for spammers to fake your domain
• Improves deliverability: Emails more likely to reach inbox
• Protects reputation: Prevents your domain from being used in phishing
• Compliance: Many email providers require SPF for bulk sending
• Authentication: Works with DKIM and DMARC for complete email security

SPF Record Format

An SPF record is a TXT record with specific syntax:

v=spf1 <mechanisms> <qualifiers>

Basic Structure

v=spf1 ip4:203.0.113.10 include:_spf.google.com ~all

Components:

• v=spf1: SPF version (always use spf1)
• ip4:203.0.113.10: Allow specific IP address
• include:_spf.google.com: Include Google’s SPF record
• ~all: Soft fail for all other servers

SPF Mechanisms

Mechanisms specify which servers can send email:

IP Address Mechanisms

IPv4 addresses:

ip4:203.0.113.10          # Single IP
ip4:203.0.113.0/24        # IP range (CIDR notation)

IPv6 addresses:

ip6:2001:db8::1           # Single IPv6
ip6:2001:db8::/32         # IPv6 range

Domain Mechanisms

A record:

a                         # Current domain's A record
a:mail.example.com        # Specific domain's A record

MX record:

mx                        # Domain's MX records can send
mx:example.com            # Specific domain's MX records

Include other SPF records:

include:_spf.google.com   # Include another domain's SPF

Special Mechanisms

All:

+all    # Allow all (never use)
~all    # Soft fail all others (recommended)
-all    # Hard fail all others (strict)
?all    # Neutral (not recommended)

Qualifiers

Qualifiers determine what happens when a mechanism matches:

• + Pass: Authorize the sender (default if omitted)
• - Fail: Reject the email
• ~ Soft Fail: Accept but mark (recommended for “all”)
• ? Neutral: Treated like no SPF record

Examples:

+ip4:203.0.113.10    # Explicitly allow
-ip4:198.51.100.10   # Explicitly block
~all                 # Soft fail others

Finding Your SPF Record

Check Existing SPF Record

Using nslookup (Windows):

nslookup -type=TXT yourdomain.com

Using dig (Linux/Mac):

dig TXT yourdomain.com

Online tools:

• MXToolbox SPF Check
• Google Admin Toolbox
• Kitterman SPF Validator

Finding Your Server’s IP

Check email headers:

1. Send yourself a test email
2. View email source/headers
3. Find “Received:” headers
4. Locate your server’s IP address

Query your mail server:

nslookup mail.yourdomain.com

Setting Up SPF Records

Single Email Service

If you only use one email service (e.g., Google Workspace):

v=spf1 include:_spf.google.com ~all

Popular service includes:

• Google Workspace: include:_spf.google.com
• Microsoft 365: include:spf.protection.outlook.com
• SendGrid: include:sendgrid.net
• Mailchimp: include:servers.mcsv.net
• Amazon SES: include:amazonses.com

Multiple Email Services

If you use multiple services:

v=spf1 include:_spf.google.com include:sendgrid.net include:_spf.salesforce.com ~all

Warning: Each include counts toward the 10 DNS lookup limit.

Custom Mail Server

If you have your own mail server:

v=spf1 ip4:203.0.113.10 ip4:203.0.113.11 ~all

With IP range:

v=spf1 ip4:203.0.113.0/24 ~all

Complete Example

Domain using Google Workspace, SendGrid, and custom server:

v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.10 ~all

Advanced SPF Configuration

Using MX Records

Allow your MX servers to send:

v=spf1 mx ~all

Using A Records

Allow your web server to send:

v=spf1 a ~all

Allowing Subdomain

v=spf1 include:mail.example.com ~all

IPv6 Support

v=spf1 ip4:203.0.113.10 ip6:2001:db8::1 include:_spf.google.com ~all

PTR Records (Not Recommended)

v=spf1 ptr:example.com ~all

Note: PTR mechanism is slow and deprecated. Avoid using it.

SPF Limitations

10 DNS Lookup Limit

SPF records are limited to 10 DNS lookups to prevent abuse.

What counts as a lookup:

• Each include: (1 lookup)
• Each a: (1 lookup)
• Each mx: (1 lookup)
• ip4: and ip6: don’t count

Exceeding the limit: If you exceed 10 lookups, SPF validation fails for all servers.

Checking Lookup Count

Use SPF validation tools:

• MXToolbox SPF Lookup Counter
• EasyDMARC SPF Checker

Flattening SPF Records

If you exceed 10 lookups, “flatten” your SPF record by replacing include: with actual IP addresses.

Before (12 lookups):

v=spf1 include:_spf.google.com include:sendgrid.net include:_spf.salesforce.com include:servers.mcsv.net include:amazonses.com ~all

After flattening (example):

v=spf1 ip4:142.250.0.0/16 ip4:167.89.0.0/17 ip4:136.147.0.0/16 ~all

Drawbacks:

• Must manually update when services change IPs
• Can become very long
• Some DNS providers have size limits

Alternative: Use SPF flattening services that automatically maintain your record.

Common SPF Configurations

Google Workspace / Gmail

v=spf1 include:_spf.google.com ~all

Microsoft 365 / Outlook

v=spf1 include:spf.protection.outlook.com ~all

Google Workspace + Microsoft 365

v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all

cPanel / WHM Server

v=spf1 a mx ~all

Cloudflare Email Routing

v=spf1 include:_spf.mx.cloudflare.net ~all

Multiple Services

v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net ip4:203.0.113.10 ~all

Testing SPF Records

Send Test Email

1. Send email from your domain to a Gmail account
2. Open the email in Gmail
3. Click Show original
4. Look for SPF result:

   spf=pass (google.com: domain of sender@yourdomain.com designates IP as permitted sender)

Command Line Testing

# Check SPF record
dig TXT yourdomain.com

# Specific DNS query
nslookup -type=TXT yourdomain.com

Online Testing Tools

• MXToolbox: mxtoolbox.com/spf.aspx
• Google CheckMX: toolbox.googleapps.com/apps/checkmx
• Kitterman SPF Test: kitterman.com/spf/validate.html
• DMARC Analyzer: dmarcanalyzer.com/spf-checker

Troubleshooting

SPF Fails

Common causes:

• SPF record not published in DNS
• Syntax errors in SPF record
• Exceeding 10 DNS lookup limit
• Sending from unauthorized server
• DNS propagation delay

Solutions:

• Verify SPF record with online tools
• Check for typos in the record
• Count DNS lookups
• Add missing server IPs or includes
• Wait 24-48 hours for DNS propagation

Multiple SPF Records

Problem: Only one SPF record allowed per domain. Multiple records cause all to be ignored.

Wrong:

v=spf1 include:_spf.google.com ~all
v=spf1 include:sendgrid.net ~all

Correct:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Void Lookup

Problem: DNS lookup returns no results.

Causes:

• Typo in include statement
• Referenced domain has no SPF record
• DNS resolution issues

Check:

dig TXT _spf.google.com

PermError

Problem: SPF record has syntax errors or exceeds lookup limit.

Solutions:

• Validate syntax with SPF checker
• Reduce DNS lookups
• Fix formatting errors

Best Practices

1. Start simple: Begin with basic SPF, expand as needed
2. Use ~all: Soft fail is safer than hard fail initially
3. Monitor email: Check delivery rates after implementing SPF
4. Combine with DKIM and DMARC: Use all three for best protection
5. Keep it updated: Update SPF when adding new email services
6. Test before deploying: Use SPF validators
7. Document changes: Keep track of what’s included and why
8. Watch DNS lookups: Stay well under the 10 lookup limit
9. Regular audits: Review SPF records every 6 months
10. Use include wisely: Only include services you actually use

Conclusion

SPF records are essential for email authentication and deliverability. A properly configured SPF record:

• Reduces spam and phishing using your domain
• Improves email deliverability
• Protects your domain reputation
• Works alongside DKIM and DMARC for comprehensive email security

Start with a simple SPF record for your primary email service, then expand as needed while staying within the 10 DNS lookup limit.

Quick Reference

Basic SPF syntax:

v=spf1 [mechanisms] [qualifier]all

Common mechanisms:

ip4:203.0.113.10           # IPv4 address
ip6:2001:db8::1            # IPv6 address
include:_spf.google.com    # Include another SPF
a                          # Domain's A record
mx                         # Domain's MX records

Qualifiers:

+  Pass (default)
-  Fail (reject)
~  Soft Fail (accept but mark)
?  Neutral

Recommended ending:

~all   # Soft fail all others