What is an SPF record?
SPF, short for Sender Policy Framework, is an email authentication standard that lets a domain owner declare which mail servers are allowed to send email on the domain's behalf. That declaration lives in a single DNS TXT record, beginning with v=spf1 and ending with an all mechanism. When a receiving server accepts a message, it looks up this record to decide whether the connecting server was authorized.
Without a published SPF record, your mail is far easier to spoof and far more likely to land in spam. Since 2024, the largest mailbox providers expect SPF, DKIM, and DMARC to be in place before they will reliably deliver bulk email.
How SPF works
The check happens in real time during the SMTP conversation. The receiving server reads the envelope sender domain, fetches that domain's SPF record, and compares the connecting IP address against the authorized sources listed in the record. A match passes SPF. No match returns a soft fail or hard fail depending on the closing qualifier you chose.
- include: delegates authorization to a third-party sender, such as
include:_spf.google.com. Each include costs at least one DNS lookup. - ip4: and ip6: authorize a specific address or CIDR range directly, with zero additional lookups.
- a and mx: authorize the IPs behind the domain's own A or MX records, costing one lookup each.
- ~all vs -all: the final qualifier decides what happens to mail from any server not listed above.
Common SPF issues
- Too many DNS lookups. SPF allows a maximum of 10 lookups per evaluation. Exceed it and receivers return a permanent error, failing SPF for every message.
- Missing authorized senders. Every service you send through, from your help desk to your newsletter platform, needs to be represented in the record or its mail will fail.
- Multiple SPF records. A domain must publish exactly one SPF record. Two or more produces a
PermErrorand breaks authentication entirely. - Using +all. The
+allqualifier authorizes the entire internet to send as your domain, which removes any protection SPF offered.
How to fix the 10-lookup limit
When a record creeps toward 10 lookups, the goal is to reduce the number of DNS queries SPF has to resolve without dropping any legitimate sender. Work through these steps in order, then re-scan to confirm the count dropped.
- Remove senders you no longer use. Old platforms often linger in the record long after you stop sending through them. Each retired
includeyou delete frees up its lookups. - Flatten heavy includes to ip4 entries. If a provider publishes a stable set of IP ranges, replacing its
includewith explicitip4blocks trades multiple lookups for zero, though you then have to track their IP changes. - Drop the ptr mechanism. The
ptrmechanism is slow, discouraged by RFC 7208, and rarely needed. Removing it reclaims a lookup and improves reliability. - Consolidate before adding. Treat the budget like a ledger. Confirm you have headroom before introducing a new sender so you never cross 10 by surprise.
SPF only checks the envelope sender, not the visible From address your recipients see. Pair it with DKIM and a DMARC policy to fully protect your domain from spoofing. Need to build a record from scratch? Use the SPF record generator.