What Is SPF? Complete Guide to Sender Policy Framework

How SPF Works

1. You send email from yourdomain.com through SendGrid
2. SendGrid's server (IP: 167.89.x.x) delivers to recipient's server
3. Recipient's server looks up SPF for yourdomain.com
4. Your SPF record says: "include:sendgrid.net" (which includes 167.89.x.x)
5. IP matches → SPF PASS ✓

Without SPF:

1. A spammer sends email claiming to be from yourdomain.com
2. Spammer's server (IP: 203.0.113.x) delivers to recipient's server
3. Recipient's server looks up SPF for yourdomain.com
4. SPF record doesn't include 203.0.113.x
5. IP doesn't match → SPF FAIL ✗ → email filtered or rejected

SPF Record Syntax

v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.5 -all

Component	Meaning
v=spf1	Required version tag (always first)
include:	Authorize another domain's SPF (for ESPs)
ip4:	Authorize a specific IPv4 address
ip6:	Authorize a specific IPv6 address
a	Authorize your domain's A record IP
mx	Authorize your domain's MX record IPs
-all	Hard fail — reject unauthorized senders
~all	Soft fail — mark but don't reject
?all	Neutral — no policy (useless)

Common SPF Records

Google Workspace only:

v=spf1 include:_spf.google.com ~all

Google Workspace + SendGrid:

v=spf1 include:_spf.google.com include:sendgrid.net -all

Microsoft 365 + Mailgun:

v=spf1 include:spf.protection.outlook.com include:mailgun.org -all

Multiple services:

v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org include:_spf.klaviyo.com -all

⚠ Check lookup count — this may approach the 10-lookup limit.

The 10-Lookup Limit

SPF allows maximum 10 DNS lookups. Each include:, a, mx, and exists mechanism counts. ip4: and ip6: do NOT count.

Service	Typical Lookups
Google Workspace	3-4
Microsoft 365	2-3
SendGrid	1
Mailgun	1
Klaviyo	1-2
HubSpot	2

Google Workspace + Mailgun + Klaviyo + HubSpot = 7-9 lookups. Add one more service and you exceed 10.

Exceeding 10 lookups causes permerror — SPF fails for ALL email from your domain. Silently. No error message. Just failed authentication.

Solutions: Subdomain delegation (each subdomain gets its own 10-lookup budget) or SPF flattening (replace includes with IPs). See our multi-sender SPF guide.

SPF and DMARC

SPF alone doesn't enforce anything — receiving servers decide what to do with failures. DMARC adds enforcement:

• DMARC checks if SPF passes AND the SPF domain aligns with the From: domain
• If SPF fails and DKIM also fails, DMARC determines the action (none/quarantine/reject)
• SPF alignment can be relaxed (subdomain match) or strict (exact match)

SPF is one leg of the DMARC stool. DKIM is the other. You need both for reliable DMARC pass.

Common SPF Mistakes

1. Multiple SPF records. Two TXT records starting with v=spf1 invalidates both. Merge into one.
2. Exceeding 10 lookups. Silently breaks everything. Check with MXToolbox.
3. Forgetting a sending service. New CRM, helpdesk, or form tool sends email? Add to SPF.
4. Using +all. This means "everyone is authorized" — defeats the purpose entirely.
5. Not including the ESP. Setting up SendGrid but not adding include:sendgrid.net to SPF.

Practitioner note: SPF is the simplest authentication protocol to configure and the easiest to break. One DNS change, one missing include, one extra space — and SPF fails silently. After any DNS change, verify SPF with MXToolbox. Takes 30 seconds. Prevents hours of debugging.

Practitioner note: The 10-lookup limit is the #1 SPF issue I fix for businesses. They add services over years, never check lookup count, and one day deliverability tanks because a new include pushed them to 11. Check your lookups quarterly.

For complete authentication setup: SPF + DKIM + DMARC guide. If SPF is failing: SPF troubleshooting guide.

If you need authentication configured correctly, schedule a consultation.

Sources

• RFC 7208: Sender Policy Framework (SPF)
• MXToolbox: SPF Lookup
• Google: SPF Record Setup

---

v1.0 · March 2026