S
SPF Creator

How SPF Works: Technical Deep Dive

Understand the technical details of SPF authentication — DNS lookups, envelope sender verification, evaluation order, result codes, and DMARC alignment.

You know SPF lets you declare which servers can send email for your domain. But what actually happens under the hood when a receiving mail server processes an incoming message? This article walks through the full verification chain — from DNS query to final result.

The SPF Check Lifecycle

Every SPF check follows the same sequence. Understanding it helps you debug deliverability issues and write better SPF records.

1

Message arrives at the receiving server

An SMTP connection is established and the sending server issues a MAIL FROM command with the envelope sender address (e.g., MAIL FROM:<notifications@example.com>). This is the Return-Path — the address bounces go to.

2

Receiving server extracts the domain

The receiving server takes the domain from the envelope sender (example.com in this case). This is the domain it will check for an SPF record. If the MAIL FROM is empty (as in bounce messages), the server uses the HELO/EHLO identity instead.

3

DNS query for the SPF record

The receiving server queries DNS for TXT records at example.com and looks for one starting with v=spf1. There must be exactly one. Zero means no SPF policy. Two or more means permerror.

4

Mechanisms are evaluated left to right

The server walks through each mechanism in the SPF record, checking whether the sending IP matches. The first match determines the result. If no mechanism matches, the all mechanism at the end provides the default.

5

Result is produced

The check yields one of several results: pass, fail, softfail, neutral, temperror, permerror, or none. This result is added to the Authentication-Results header of the email.

6

Result feeds into DMARC evaluation

If the domain has a DMARC policy, the SPF result and alignment are evaluated alongside DKIM. DMARC requires at least one protocol to both pass and align with the From header domain.

Envelope Sender vs From Header

This is the single most misunderstood part of SPF. There are two "from" addresses on every email, and SPF only checks one of them.

Envelope Sender (Return-Path): This is the address used during the SMTP transaction. It's set in the MAIL FROM command and shows up in the Return-Path header. SPF checks this domain.

From Header: This is the address recipients see in their email client. SPF does not check this. An attacker can set the From header to anything they want, and SPF won't catch it.

SPF alone cannot prevent From header spoofing. An attacker can pass SPF using their own domain in the Return-Path while setting the visible From header to your domain. This is exactly why DMARC exists — it requires SPF (or DKIM) to align with the From header domain.

This matters for third-party services too. When SendGrid or Mailchimp sends email on your behalf, they often use their own domain in the Return-Path (like bounces.sendgrid.net). SPF passes for their domain, not yours. For SPF to help with DMARC, the Return-Path domain needs to match (or be a subdomain of) your From header domain.

The DNS Lookup Process

When a receiving server evaluates your SPF record, it may need to perform multiple DNS queries. Here's what triggers a lookup:

Mechanisms That Require DNS Lookups

  • include: — Requires a lookup for the referenced domain's SPF record, plus any nested lookups within it
  • a — Looks up the A (or AAAA) record for the specified domain
  • mx — Looks up the MX records, then resolves each MX hostname to IP addresses
  • exists: — Performs an A record lookup to check if the domain resolves
  • redirect= — Fetches the SPF record from another domain (counts as a lookup)

Mechanisms That Don't Require DNS Lookups

  • ip4: — Direct IP comparison, no DNS needed
  • ip6: — Direct IP comparison, no DNS needed
  • all — Matches everything, no DNS needed

The 10-lookup limit applies to the total across all nested includes. If your record has include:_spf.google.com and Google's SPF record itself contains 2 more includes, that's 3 lookups just for Google.

SPF Evaluation Order

Mechanisms are evaluated strictly left to right. The first match wins. This matters more than you might think.

Given this record:

v=spf1 ip4:203.0.113.50 include:_spf.google.com -all

The evaluation order is:

  1. Is the sending IP 203.0.113.50? If yes, pass. Stop.
  2. Is the sending IP in Google's authorized list? If yes, pass. Stop.
  3. Nothing matched, hit -all. Result: fail.

If you put ip4 mechanisms first, you save DNS lookups for messages from those IPs. This is a minor optimization, but it's good practice.

Track your SPF health over time

Monitor your SPF, DKIM, DMARC, and MX records daily and get alerted when something changes.

Start Monitoring

SPF Result Codes

The SPF check produces one of seven results. Each one tells the receiving server something different.

ResultMeaningTypical Action
PassSender IP is authorizedAccept the message
Fail (-all)Sender IP is explicitly not authorizedReject or quarantine the message
Softfail (~all)Sender IP is probably not authorizedAccept but mark as suspicious
Neutral (?all)Domain makes no assertion about this IPTreat as if no SPF record exists
NoneNo SPF record foundNo SPF evaluation possible
TemperrorTemporary DNS failureTry again later or accept provisionally
PermerrorSPF record is invalidTreat as if SPF failed (varies by server)

Pass

The sending IP matched an authorized mechanism. This is what you want for all your legitimate sending sources.

Fail vs Softfail

-all produces a fail — a strong statement that unauthorized IPs should be rejected. ~all produces a softfail — a weaker statement that says "this IP probably isn't authorized, but don't reject it outright."

In practice, most receiving servers treat softfail similarly to fail when DMARC is also configured with p=reject or p=quarantine. Softfail is mainly useful during initial SPF setup when you're still identifying all your sending sources.

Permerror

A permerror means your SPF record is broken. Common causes include exceeding the 10-lookup limit, having syntax errors, or having multiple SPF records on the same domain. This is the worst outcome — it means SPF can't be evaluated at all.

SPF and DMARC Alignment

DMARC adds a critical layer on top of SPF by requiring alignment. This means the domain in the Return-Path (checked by SPF) must match the domain in the From header (what recipients see).

There are two alignment modes:

  • Strict alignment — The Return-Path domain must exactly match the From header domain
  • Relaxed alignment — The Return-Path domain can be a subdomain of the From header domain (or vice versa)

For example, if your From header is user@example.com:

  • Return-Path of bounce@example.com — passes both strict and relaxed alignment
  • Return-Path of bounce@mail.example.com — passes relaxed alignment only
  • Return-Path of bounce@sendgrid.net — fails both. SPF might pass, but DMARC won't count it

Third-party alignment

Many email service providers now support custom Return-Path domains (like bounce.yourdomain.com) specifically so SPF can align with DMARC. Check your provider's documentation for setup instructions.

What Happens After SPF

SPF is just one input in the receiving server's decision. Here's the full picture:

  1. SPF check produces a result (pass/fail/softfail/etc.)
  2. DKIM check verifies the cryptographic signature (if present)
  3. DMARC check evaluates whether SPF or DKIM passed and aligned
  4. Reputation systems consider the sender's history, IP reputation, and domain age
  5. Content filtering scans the message body for spam signals
  6. Final decision — deliver to inbox, send to spam, or reject

A passing SPF check doesn't guarantee inbox delivery. But a failing SPF check significantly increases the chance of rejection or spam classification, especially when combined with a strict DMARC policy.

Practical Implications

Understanding how SPF works technically has direct consequences for how you set up your records:

Put IP mechanisms first

Since ip4 and ip6 don't cost DNS lookups and are checked instantly, place them before include mechanisms. This speeds up evaluation for your most common sending IPs.

Watch your lookup count

Every include can cascade into multiple lookups. Monitor your total count and stay well under 10 to avoid permerror.

Configure Return-Path alignment

If you care about DMARC (and you should), make sure your third-party senders use a Return-Path under your domain so SPF alignment passes.

Test after every change

DNS propagation, cached records, and nested includes can all cause surprises. Verify your SPF record with an SPF checker after every modification.

Related Articles

Monitor Your New SPF Record

You've created your SPF record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss an SPF issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring