SPF Records Explained: A Complete Guide

Learn how to implement and troubleshoot SPF records to improve email deliverability

SpamBarometer Team
March 15, 2025
10 min read
Deliverability Authentication Best Practices Technical SPF
Technical Guides

Sender Policy Framework (SPF) is an email authentication method designed to detect forged sender addresses during the delivery of email. This guide explains how SPF works and how to implement it correctly.

What is SPF?

SPF allows domain owners to specify which mail servers are authorized to send email on behalf of their domain. When a receiving mail server gets a message, it can check the SPF record to verify that the sending server is authorized to send mail for that domain.

This helps prevent email spoofing, where spammers send messages that appear to come from your domain without your permission.

SPF Records Explained

How SPF Works

  1. A domain owner publishes an SPF record in their DNS zone file
  2. When an email is sent, the receiving mail server checks the SPF record of the domain in the "From" address
  3. The receiving server compares the sending server's IP address against the authorized IPs in the SPF record
  4. If the sending server is authorized, the SPF check passes; if not, it fails

SPF Record Syntax

An SPF record is a TXT record in your DNS settings that follows this basic format:

v=spf1 [mechanisms] [qualifiers] [modifiers] -all

Components of an SPF Record:

  • v=spf1: Version of SPF being used (currently always "spf1")
  • mechanisms: Define which IP addresses are allowed to send mail
  • qualifiers: Specify what happens if a mechanism matches (+ pass, - fail, ~ softfail, ? neutral)
  • modifiers: Provide additional information
  • -all: Indicates that any IP not previously matched should fail the SPF check

Common Mechanisms:

  • a: Authorizes the A record of the domain
  • mx: Authorizes all mail servers listed in the domain's MX records
  • ip4: and ip6:: Authorize specific IPv4 or IPv6 addresses
  • include:: Includes another domain's SPF record
  • exists:: Tests if a domain name exists
  • ptr:: Checks if the PTR record for the sending IP matches the domain (not recommended)

Example SPF Records

Basic SPF Record:

v=spf1 mx a ip4:192.168.0.1/16 -all

This record authorizes:

  • The servers listed in the domain's MX records
  • The IP address of the domain's A record
  • The IPv4 range 192.168.0.1/16
  • All other servers are explicitly unauthorized (-all)

SPF Record with Third-Party Services:

v=spf1 mx a include:_spf.google.com include:sendgrid.net -all

This record authorizes:

  • The servers listed in the domain's MX records
  • The IP address of the domain's A record
  • Google's mail servers (for Google Workspace/Gmail)
  • SendGrid's mail servers
  • All other servers are explicitly unauthorized (-all)

SPF Record Limitations

DNS Lookup Limit

SPF has a limit of 10 DNS lookups per check. This includes:

  • Each "include:" mechanism
  • Each "mx" mechanism
  • Each "a" mechanism
  • Each "ptr" mechanism (which can cause multiple lookups)
  • Each "exists:" mechanism
  • The initial lookup of the SPF record itself

Exceeding this limit causes the SPF check to return "permerror" and potentially fail.

Character Limit

DNS TXT records have a maximum length of 255 characters. For longer SPF records, you need to split them across multiple TXT records, which can be complex.

Common SPF Mistakes

  • Using multiple SPF records: A domain should have only one SPF record
  • Using ~all instead of -all: Softfail (~all) is less secure than fail (-all)
  • Exceeding the 10 DNS lookup limit: Often happens with nested includes
  • Using the ptr mechanism: This is inefficient and not recommended
  • Forgetting to include all legitimate sending sources: Missing services like marketing platforms

Testing Your SPF Record

Before implementing an SPF record in production, you should test it thoroughly:

  1. Use SPF validation tools like SpamBarometer's SPF checker
  2. Send test emails from all your legitimate sending sources
  3. Check SPF results in email headers
  4. Monitor your email delivery rates after implementation

SPF and Email Forwarding

SPF can break email forwarding because the forwarding server becomes the sender, but isn't authorized in your SPF record. Solutions include:

  • Using DKIM authentication alongside SPF
  • Implementing SRS (Sender Rewriting Scheme) on forwarding servers
  • Setting up specific forwarding arrangements with partners

SPF Implementation Checklist

  1. Identify all legitimate sources that send email from your domain
  2. Create an SPF record that includes all these sources
  3. Verify the record doesn't exceed 10 DNS lookups
  4. Publish the record as a TXT record in your DNS
  5. Test emails from all sources to ensure they pass SPF checks
  6. Monitor email delivery rates and SPF failures
  7. Update the record as needed when adding new email services

Conclusion

SPF is an essential component of email authentication that helps protect your domain from being spoofed by spammers. By implementing SPF correctly, you can improve your email deliverability and protect your domain's reputation.

Remember that SPF works best as part of a complete email authentication strategy that also includes DKIM and DMARC. Together, these protocols provide the strongest protection against email spoofing and phishing attacks.

Was this guide helpful?
Related Tools
Try SpamBarometer Test
Need More Help?

Our team of email deliverability experts is available to help you implement these best practices.

Contact Us