NetDigLearnEmail
Email6 min read

What Is an SPF Record?

SPF (Sender Policy Framework) is a DNS TXT record that lists all servers authorized to send email for your domain. Without it, anyone can spoof your domain in email headers.

How SPF Works

When a receiving mail server gets an email claiming to be from user@yourdomain.com, it looks up your domain's SPF record in DNS. The record lists which IP addresses and mail servers are authorized to send email from your domain. If the sending server isn't on the list, the email fails SPF.

SPF checks the envelope sender (the SMTP MAIL FROM address), not the From: header you see in your email client. This is an important distinction — it means SPF alone doesn't protect the visible From: header (that's what DMARC adds).

SPF Record Syntax

SPF records are TXT records on your root domain (@). They always start with v=spf1:

v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.1 ~all

Breaking that down:

  • v=spf1 — identifies this as an SPF record
  • include:_spf.google.com — authorizes all of Google's mail servers (for Google Workspace)
  • include:sendgrid.net — authorizes SendGrid's servers
  • ip4:203.0.113.1 — authorizes a specific IP address
  • ~all — soft fail: other servers are not authorized but email is still accepted (marked as suspicious)

The All Qualifier

  • -all — hard fail: reject email from unlisted servers
  • ~all — soft fail: accept but mark as suspicious (most common)
  • ?all — neutral: no opinion
  • +all — pass all (never use this — it defeats the purpose of SPF)

The 10 DNS Lookup Limit

SPF records are limited to 10 DNS lookups during evaluation. Each include:, a:, mx:, and redirect= modifier counts toward this limit. Nested includes count too. Exceed 10 and your SPF record returns a PermError — which many receivers treat as a fail.

If you use multiple email services (Google Workspace + SendGrid + Mailchimp + HubSpot), you can easily hit this limit. Use SPF flattening tools to resolve includes to IPs and reduce lookup count.

One SPF Record Only

You can only have one SPF record per domain. If you have two TXT records starting with v=spf1, SPF validation fails. Merge all your authorized senders into a single record.

Check your SPF: Use the SPF Checker to validate your current record, or the DNS Record Builder to generate the correct SPF for your email provider.

Yes if you send any email from your domain. Without SPF, receiving servers have no way to verify your email is legitimate. Major providers increasingly filter or reject email from domains without SPF.

The receiving server checks its policy. With a soft fail (~all), most servers accept the email but may add a spam score penalty. With a hard fail (-all) and a DMARC p=reject policy, the email is rejected.

Combine them in a single TXT record: v=spf1 include:service1.com include:service2.com ~all. Remember the 10-lookup limit.