Knowledge Base

SPF Record Setup Guide

Learn how to create and configure Sender Policy Framework (SPF) records to prevent email spoofing and improve deliverability.

Beginner5 min read

Quick Overview

1
Identify Senders
2
Create Record
3
Add to DNS
4
Verify Setup

What is SPF?

Sender Policy Framework (SPF) is an email authentication standard (RFC 7208) that lets a domain owner publish, in DNS, the list of mail servers authorized to send email for that domain. When a receiving mail server accepts a message, it looks up the SPF record of the domain in the SMTP envelope sender — the MAIL FROM address, also called the Return-Path — and checks whether the connecting IP is on the authorized list.

Without SPF, any server on the internet can open an SMTP connection and claim to be sending for your domain. SPF is the first of the three core email-authentication mechanisms (SPF, DKIM, DMARC) and is a prerequisite for DMARC to be useful: DMARC can only pass via SPF when SPF both passes and aligns with the visible From: domain.

A critical point that trips up many administrators: SPF validates the envelope sender (MAIL FROM / Return-Path), not the From: header that recipients actually see. A message can pass SPF for one domain while displaying a completely different domain in the From: header — which is exactly why DMARC alignment exists.

SPF Email Flow Diagram showing how SPF validates email senders through DNS lookup

How SPF Works

1. A sending server connects to the recipient's MX and issues MAIL FROM:<bounce@​yourdomain.com>. 2. The receiving server extracts the domain (yourdomain.com) and queries DNS for its SPF record — a single TXT record at the root of that domain that starts with v=spf1. 3. The receiver evaluates each mechanism left to right against the connecting IP address. Recursive mechanisms (include:, a, mx, redirect=, exists:) trigger additional DNS lookups. 4. The first mechanism that matches the connecting IP determines the result, combined with its qualifier (+pass, ~softfail, -fail, ?neutral). If nothing matches before the all mechanism, the all qualifier applies. 5. The result — pass, fail, softfail, neutral, none, permerror, or temperror — is recorded in the Authentication-Results header and fed into DMARC evaluation.

SPF says nothing about message content and provides no cryptographic guarantee — it is purely an IP-to-domain authorization check at connection time.

SPF Record Structure

An SPF record is a single DNS TXT record published at the root of your domain. It always begins with the version tag and ends with an all mechanism:

v=spf1 [mechanisms...] [qualifier]all

There must be exactly one TXT record beginning with "v=spf1" per domain. Two SPF records is a permerror and breaks authentication entirely.

Mechanism & Qualifier Reference

Each mechanism can carry a qualifier prefix. The default qualifier is + (pass) when none is written. These are the mechanisms and qualifiers you will actually use:

MechanismPurposeDNS lookup?
ip4:Authorize an IPv4 address or CIDR rangeno
ip6:Authorize an IPv6 address or CIDR rangeno
aAuthorize the domain's A/AAAA recordsyes (1)
mxAuthorize the domain's MX host IPsyes (1 + 1 per MX)
include:Import another domain's SPF policyyes (1 + nested)
exists:Pass if a lookup resolves (rare)yes (1)
redirect=Replace policy with another domain'syes (1 + nested)
allMatch everything (always last)no
QualifierResultMeaning
+passAuthorized (default if omitted)
~softfailProbably not authorized, accept but mark
-failNot authorized, reject
?neutralNo assertion

Real Example SPF Records

Copy-paste examples for common providers. Replace IPs and includes with your own senders:

# Google Workspace only
v=spf1 include:_spf.google.com ~all

# Microsoft 365 only
v=spf1 include:spf.protection.outlook.com ~all

# Google Workspace + a transactional ESP
v=spf1 include:_spf.google.com include:sendgrid.net ~all

# Own mail server (single IP) + Google Workspace
v=spf1 ip4:203.0.113.10 include:_spf.google.com ~all

# Own /24 range + Mailgun, strict reject
v=spf1 ip4:203.0.113.0/24 include:mailgun.org -all

Choosing the all Qualifier

The trailing all mechanism is the catch-all for any IP that did not match an earlier mechanism. It is the single most consequential choice in your record:

~all (softfail) — receivers accept the message but treat it as suspicious. This is the correct starting point: it lets DMARC observe failures without bouncing legitimate mail you may have forgotten to list. • -all (hardfail) — receivers reject unauthorized mail outright. Move here only after DMARC aggregate reports confirm every legitimate sender is covered. • ?all (neutral) — makes no assertion; offers no spoofing protection. Avoid except during early diagnostics. • +all (pass) — authorizes the entire internet to send as your domain. This is never correct and actively harmful.

Never publish +all. It tells every receiving server that any IP is a legitimate sender for your domain, defeating SPF entirely and enabling spoofing.

How to Add Your SPF Record

1. Inventory every system that sends mail using your domain: your mailbox provider (Google Workspace, Microsoft 365), transactional/marketing platforms (SendGrid, Mailgun, Mailchimp), helpdesk and CRM tools, and any on-premise mail server. 2. Build a single record that authorizes all of them, preferring ip4:/ip6: for servers you control and include: for managed providers. 3. In your DNS provider, add a TXT record: - Name/Host: @ (or the bare domain / blank, per your provider's convention) - Type: TXT - Value: your full v=spf1 ... ~all string - TTL: 3600 4. Save and allow time for propagation, then confirm with a checker.

A domain may publish only ONE SPF record. Multiple email providers must be combined into a single record with multiple include: statements — never two separate v=spf1 records.

The 10 DNS Lookup Limit

SPF allows a maximum of 10 DNS lookups during evaluation (RFC 7208 §4.6.4). The mechanisms include:, a, mx, exists:, and redirect= each consume lookups, and include:/redirect= also count every lookup performed inside the referenced policy recursively. Exceed 10 and the result is permerror — which DMARC treats as an SPF failure, silently breaking authentication.

Counting rules: • include: = 1 lookup + all lookups inside that policy (a single provider include can hide 3–5 nested lookups) • a = 1 lookup • mx = 1 lookup, plus 1 per returned MX host that must be resolved • ip4: and ip6: = 0 lookups

The practical fix is to replace include: chains with the underlying ip4:/ip6: ranges (SPF "flattening") for senders whose IP space is stable, and to remove includes for services you no longer use.

Use ip4: and ip6: wherever the sender publishes stable IP ranges — they cost zero lookups and are the primary way to stay under the limit.

Verify and Next Step

After publishing, confirm the record resolves, parses, and stays within the lookup limit before tightening the policy. Verify it with our free SPF Checker, which counts your DNS lookups and flattens the include graph, and build or edit your record with the SPF Record Generator.

Once SPF passes and aligns, the next layer is DKIM — a cryptographic signature that survives forwarding and gives DMARC a second, independent way to pass.

SPF alone does not protect the visible From: address. Pair it with DKIM and a DMARC policy for real anti-spoofing protection.

Common Pitfalls to Avoid

  • Multiple SPF records

    You can only have ONE SPF record per domain. Combine all senders into a single record.

  • Exceeding 10 DNS lookups

    Each include: adds lookups. Use ip4: and ip6: when possible to stay under the limit.

  • Using +all qualifier

    This allows anyone to send as your domain. Always use ~all or -all.

  • Forgetting subdomains

    SPF records are not inherited. Add separate records for subdomains that send email.

Frequently asked questions

What is SPF and why do I need it?

SPF (Sender Policy Framework) is an email authentication method that specifies which mail servers are authorized to send email on behalf of your domain. Without SPF, anyone can send emails pretending to be from your domain (email spoofing), leading to phishing attacks and damaging your domain reputation.

How do I create an SPF record?

Create a TXT record in your DNS with the format: v=spf1 [mechanisms] [qualifier]all. For example, for Google Workspace: v=spf1 include:_spf.google.com ~all. Add this record at your DNS provider with the host/name set to @ or your root domain.

What does ~all vs -all mean in SPF?

~all (softfail) marks emails from unauthorized servers as suspicious but accepts them, while -all (hardfail) completely rejects unauthorized emails. Start with ~all to monitor, then move to -all once you confirm all legitimate senders are included.

What is the SPF 10 DNS lookup limit?

SPF has a maximum of 10 DNS lookups. Each include:, a, and mx mechanism counts toward this limit. Exceeding it causes SPF to fail silently. Use ip4: and ip6: instead of include: where possible, as they do not count toward the limit.

Check Your Configuration

Use IntoDNS.ai to verify your setup is correct