What is SPF Record?

SPF (Sender Policy Framework) is a DNS TXT record that lists which mail servers are authorized to send email for a domain.

SPF, short for Sender Policy Framework, is an email authentication standard published as a DNS TXT record. It declares the exact set of IP addresses and hostnames that are permitted to send mail using your domain in the envelope sender address. Receiving mail servers read this record and compare it against the IP that actually delivered the message.

An SPF record always begins with the version tag v=spf1 and is followed by a list of mechanisms such as ip4, ip6, a, mx, and include, ending with an all mechanism that sets the default policy. A hard fail (-all) tells receivers to reject unauthorized mail, while a soft fail (~all) asks them to accept but mark it suspicious.

For anyone doing cold outreach or sending marketing campaigns, SPF is non-negotiable. Missing or misconfigured SPF is one of the most common reasons legitimate email lands in spam or is rejected outright, because Gmail and Microsoft now require authentication for bulk senders. SPF alone is not enough — it must be paired with DKIM and DMARC.

A critical limitation is the ten DNS lookup limit: SPF records that trigger more than ten nested lookups return a permerror and fail authentication. This happens easily when you chain many include statements for third-party senders like your CRM, help desk, and newsletter tool, so SPF records need periodic flattening and cleanup.

Examples

  • v=spf1 include:_spf.google.com ~all — authorizes Google Workspace with a soft fail
  • v=spf1 ip4:192.0.2.10 include:sendgrid.net -all — one static IP plus SendGrid, hard fail
  • A domain with no SPF record — bulk mail is far more likely to be filtered as spam

Frequently asked questions

Free tools for working with SPF Record

Related terms