What is SPF? Email Authentication Explained
Learn what SPF (Sender Policy Framework) is, why it matters for email deliverability, and how it protects your domain from spoofing and phishing attacks.
Every day, billions of emails are sent pretending to come from domains they have no business using. SPF (Sender Policy Framework) is the first line of defense against that. It lets you declare which servers are allowed to send email on behalf of your domain — and gives receiving mail servers a way to check.
If you manage a domain that sends email, you need an SPF record. Without one, your messages are more likely to land in spam, and your domain is wide open to spoofing.
What SPF Actually Does
SPF is a DNS-based email authentication protocol defined in RFC 7208. It works by publishing a TXT record in your domain's DNS that lists every server authorized to send mail for that domain.
When a receiving mail server gets a message claiming to be from your domain, it checks your SPF record. If the sending server's IP address matches one of the authorized sources, the message passes SPF. If it doesn't, the message fails — and the receiving server can reject it, flag it, or send it to spam.
SPF checks the envelope sender (the Return-Path address), not the From header that recipients see. This distinction matters when you get into DMARC alignment.
Why SPF Matters
Without SPF, anyone can send email pretending to be from your domain. Here's what that means in practice:
- Phishing attacks use your domain to trick your customers into clicking malicious links
- Spam campaigns sent from your domain damage your sender reputation
- Legitimate email you send gets flagged as suspicious because there's no way to verify it's really from you
- Email deliverability drops as mailbox providers can't distinguish your real messages from forgeries
SPF doesn't solve all of these problems on its own, but it's the foundation. DKIM and DMARC build on top of it.
How SPF Works
You publish an SPF record
You add a TXT record to your domain's DNS. This record lists the IP addresses, mail servers, and third-party services authorized to send email for your domain.
Someone sends email from your domain
A mail server sends a message with your domain in the envelope sender (Return-Path). This could be your own server, a service like Google Workspace, or an attacker trying to spoof you.
The receiving server looks up your SPF record
The receiving mail server extracts the domain from the Return-Path and queries DNS for the SPF TXT record at that domain.
The receiving server checks the sender's IP
The receiving server compares the sending server's IP address against the list of authorized sources in your SPF record.
The result is recorded
The check produces a result — pass, fail, softfail, or neutral — which the receiving server uses to decide what to do with the message. This result is added to the email's Authentication-Results header.
Anatomy of an SPF Record
An SPF record is a single DNS TXT record that starts with v=spf1 and ends with an all mechanism. Here's a real-world example:
v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.50 -all
Let's break that down:
v=spf1— Identifies this as an SPF record (version 1, the only version)include:_spf.google.com— Authorizes Google Workspace serversinclude:sendgrid.net— Authorizes SendGrid serversip4:203.0.113.50— Authorizes a specific IPv4 address-all— Rejects everything else (hard fail)
Each piece after v=spf1 is called a mechanism, and they're evaluated left to right. The first match wins.
Keep it simple
A good SPF record only includes the services that actually send email for your domain. Don't add services "just in case" — every unnecessary include is a potential security gap and a wasted DNS lookup.
Monitor your email authentication
Track your SPF, DKIM, DMARC, and MX records daily. Get alerted when something breaks.
SPF vs DKIM vs DMARC
SPF is one of three email authentication protocols. They work together, and you should use all three.
| Protocol | What It Checks | How It Works | Protects Against |
|---|---|---|---|
| SPF | Sending server IP | DNS TXT record listing authorized IPs | Unauthorized servers sending as your domain |
| DKIM | Message integrity | Cryptographic signature in email headers | Message tampering in transit |
| DMARC | Alignment of SPF/DKIM with From header | Policy record that ties SPF and DKIM together | Spoofing of the visible From address |
SPF verifies that the sending server is authorized. DKIM verifies the message hasn't been altered. DMARC ties them together by requiring that at least one of SPF or DKIM passes and aligns with the From header domain.
Without DMARC, an attacker can still spoof the visible From address even if SPF passes on a different domain in the Return-Path. That's why all three matter.
Common SPF Issues
Even with SPF set up, things can go wrong. Here are the issues you'll run into most often:
Too Many DNS Lookups
SPF has a hard limit of 10 DNS lookups per check. Every include, a, mx, and redirect mechanism counts toward this limit. Exceed it and your entire SPF record fails with a permerror. If you use multiple email services, you'll hit this faster than you think.
Multiple SPF Records
A domain can only have one SPF record. If you have two TXT records starting with v=spf1, receiving servers will return a permerror and your SPF check fails for every message.
Using +all
Never use +all. It tells receiving servers that any server is authorized to send email for your domain. This effectively disables SPF and is worse than not having a record at all.
Missing all Mechanism
If your SPF record doesn't end with an all mechanism, the default result for non-matching IPs is neutral — which most servers treat the same as having no SPF record. Always end with -all (hard fail) or ~all (soft fail).
If you're just setting up SPF for the first time, start with ~all (soft fail) while you verify all your sending sources are included. Once you're confident, switch to -all (hard fail) for maximum protection.
Forgetting Third-Party Services
If you use a CRM, marketing tool, helpdesk, or any other service that sends email as your domain, it needs to be in your SPF record. Missing even one service means those emails will fail SPF checks.
Getting Started with SPF
Setting up SPF takes about five minutes:
- List every service and server that sends email for your domain
- Look up the SPF include or IP information for each service
- Build your SPF record with the correct mechanisms
- Add the TXT record to your DNS
- Test with an SPF lookup tool to verify it's working
Or skip the manual work and use a generator.
Related Articles
Monitor Your New SPF Record
You've created your SPF record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring