SPF (Sender Policy Framework) is an email authentication protocol that lets domain owners publish a DNS TXT record listing the IP addresses and servers authorized to send email on their behalf. When a receiving server gets an email, it checks the SPF record of the sender's domain. If the sending server isn't listed, the email fails SPF and may be rejected or sent to spam.
What Is SPF in Email? (Sender Policy Framework Explained)
SPF in 30 Seconds
SPF tells the world which servers are allowed to send email for your domain. It's a DNS TXT record — nothing installed on your mail server, just a line of text in your DNS.
When Gmail receives an email from your domain, it looks up your SPF record, checks if the sending server's IP is listed, and marks SPF as pass or fail.
How SPF Works
- You publish a TXT record at
example.comin DNS - Someone sends email using your domain
- The receiving server extracts the sending IP from the SMTP connection
- It queries DNS for
example.com's SPF record - It checks if the sending IP matches any authorized source
- Result:
pass,fail,softfail,neutral, ornone
SPF Record Syntax
v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.0/24 -all
v=spf1— required version taginclude:— authorizes another domain's SPF record (adds its IPs)ip4:/ip6:— authorizes specific IP addresses-all— hard fail everything not listed (recommended)~all— soft fail (used during testing)
The 10 Lookup Limit
SPF allows a maximum of 10 DNS mechanisms that require lookups (include, a, mx, redirect). Each include counts as one lookup plus any lookups that included record makes. Exceeding 10 causes a permerror, which breaks SPF entirely.
If you have multiple ESPs, you'll hit this fast. Solutions include SPF flattening and consolidating senders.
SPF Limitations
SPF checks the envelope sender (Return-Path), not the From: header the recipient sees. This means SPF alone doesn't prevent display-name spoofing. That's why DMARC exists — it ties SPF (and DKIM) results to the visible From: domain.
SPF also breaks with email forwarding because the forwarding server's IP isn't in the original domain's SPF record. ARC was created to solve this.
Practitioner note: The most common SPF mistake I see is
~all(softfail) in production. It was meant for testing. Switch to-allonce you've confirmed all legitimate senders are included.
Practitioner note: Every time a client adds a new SaaS tool that sends email (helpdesk, invoicing, marketing), they need to update SPF. Most don't, and authentication silently fails for that tool's emails.
For the complete setup process, read the SPF setup guide. If your SPF is failing, start with the SPF troubleshooting guide.
Need help configuring SPF across multiple senders? Schedule a consultation — I'll audit your SPF record and fix lookup limit issues.
Sources
- RFC 7208: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email
- Google: SPF record requirements for Gmail
- Microsoft: Set up SPF to help prevent spoofing
- Dmarcian: SPF Overview
v1.0 · April 2026
Frequently Asked Questions
How does SPF work?
You publish a TXT record in your domain's DNS listing authorized sending IPs. When a receiver gets email from your domain, it looks up this record and checks whether the sending server's IP matches. If it does, SPF passes. If not, it fails.
What does an SPF record look like?
A typical SPF record: v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.5 -all. This authorizes Google Workspace, SendGrid, and a specific IP address. The -all at the end rejects everything else.
What is the SPF 10 DNS lookup limit?
SPF allows a maximum of 10 DNS lookups (includes, redirects, a, mx mechanisms). Exceeding this limit causes a permerror, which means SPF breaks entirely. Consolidate includes or use SPF flattening to stay under the limit.
Is SPF enough for email authentication?
No. SPF alone doesn't prevent spoofing because it checks the envelope sender (Return-Path), not the visible From: address. You need DKIM and DMARC alongside SPF for complete authentication.
What happens if I don't have an SPF record?
Without SPF, any server can send email claiming to be from your domain. Receiving servers will return an SPF 'none' result, which hurts deliverability and makes your domain vulnerable to spoofing.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.