DNSBuddy

Knowledge base

SPF record

Learn what an SPF record is, how it prevents email spoofing by authorizing sending mail servers, how to read and write SPF syntax, common setups for Google and Microsoft 365, and how to troubleshoot failures.

What Is an SPF Record?

TL;DR
An SPF record (Sender Policy Framework) is a DNS TXT record that lists which mail servers are authorized to send email on behalf of your domain.
Receiving mail servers check SPF to decide if an incoming email claiming to be from [email protected] actually came from a server you've approved.
Without SPF, anyone can forge your domain in the From header and send spam or phishing email.

Look up TXT records
Enter a domain name to lookup TXT records

Enter the domain name you want to lookup

View full DNS lookup tool with advanced options →

How SPF Works

  1. You publish a TXT record at your domain (e.g., example.com) listing your authorized senders.
  2. Someone sends an email claiming to be from [email protected].
  3. The receiving mail server looks up example.com TXT and finds your SPF record.
  4. It checks whether the sending server's IP is in your authorized list.
  5. Based on the result, it passes, softfails, or rejects the message.

SPF checks the envelope sender (the MAIL FROM address used during SMTP), not the visible From: header. This is why SPF alone doesn't prevent display-name spoofing — that's what DMARC adds.

SPF Record Format

SPF records are TXT records that always start with v=spf1:

example.com.  TXT  "v=spf1 include:_spf.google.com ~all"

Mechanisms

MechanismMeaning
ip4:1.2.3.4Authorize a specific IPv4 address
ip4:1.2.3.0/24Authorize an IPv4 CIDR range
ip6:2001:db8::/32Authorize an IPv6 range
include:spf.example.comMerge in another domain's SPF record
aAuthorize the domain's A/AAAA records
mxAuthorize the domain's MX servers
exists:%{i}._spf.example.comMacro-based conditional lookup
allMatch everything (used at the end)

Qualifiers

Each mechanism can have a qualifier prefix:

QualifierNameEffect
+ (default)PassAuthorized — email is legitimate
-Fail (hard)Not authorized — reject the email
~SoftfailNot authorized — accept but mark as suspicious
?NeutralNo policy stated

The all mechanism at the end is the catch-all for IPs not matched by earlier rules:

  • -all — reject everything else (strict, recommended once you're confident)
  • ~all — softfail everything else (safe starting point)
  • ?all — neutral (not recommended, no protection)

Common SPF Records

Google Workspace

example.com.  TXT  "v=spf1 include:_spf.google.com ~all"

Microsoft 365

example.com.  TXT  "v=spf1 include:spf.protection.outlook.com ~all"

Multiple providers (e.g., Microsoft 365 + Mailchimp)

example.com.  TXT  "v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net ~all"

Custom mail server + Google

example.com.  TXT  "v=spf1 ip4:203.0.113.10 include:_spf.google.com ~all"

Strict — only your own IP, reject everything else

example.com.  TXT  "v=spf1 ip4:203.0.113.10 -all"

How to Look Up an SPF Record

dig example.com TXT
nslookup -type=TXT example.com

Look for the line starting with v=spf1 in the output.

SPF Lookup Limit

SPF has a hard limit of 10 DNS lookups during evaluation. Each include:, a, and mx mechanism counts as one lookup. Nested includes count too.

Exceeding 10 lookups causes a PermError, which most receivers treat as a failure. Common causes:

  • Too many include: statements chaining to other includes
  • Using a and mx when ip4/ip6 would work fine
  • Accumulating marketing and transactional sender includes over time

If you hit the limit, flatten your SPF record by replacing include: chains with direct ip4: entries, or use an SPF flattening service.

SPF vs DKIM vs DMARC

FeatureSPFDKIMDMARC
What it checksSending server IPCryptographic signature on messageAlignment of SPF/DKIM with From header
Where it's publishedexample.com TXTselector._domainkey.example.com TXT_dmarc.example.com TXT
Survives forwardingNo — IP changesYes — signature travels with emailDepends on DKIM passing
Provides reportingNoNoYes (rua/ruf)
Stops spoofing alonePartiallyPartiallyYes (with p=reject)

SPF, DKIM, and DMARC work together. SPF alone is not enough — use all three.

→ See also: DKIM Record, DMARC Record, TXT Record

Frequently Asked Questions

Can I have multiple SPF records?
No. You must have exactly one SPF record (one TXT record starting with v=spf1) per domain. Multiple SPF records cause a PermError and break delivery. Combine all your senders into one record.
My SPF passes but emails still land in spam — why?
SPF alone is not enough. You also need DKIM (cryptographic signature) and DMARC (alignment policy). Without DKIM, forwarded emails will fail SPF and hurt deliverability.
Should I use ~all or -all?
Start with ~all (softfail) while you're getting set up — it won't cause hard bounces if you missed a sender. Switch to -all (hard fail) once you've confirmed all your sending sources are in the record.
What is SPF alignment?
DMARC requires SPF alignment: the domain in MAIL FROM must match the From: header domain. If your ESP sends from a different envelope domain (common with bulk mailers), SPF alignment will fail and you'll need DKIM to pass DMARC.
Does SPF work on subdomains?
SPF records are per-domain. Each subdomain that sends email needs its own SPF record. Subdomains don't inherit the parent's SPF automatically.
What happens if I have no SPF record?
Without SPF, receiving servers have no policy to check. Some will accept the mail; others may apply stricter filtering. More importantly, anyone can spoof your domain. You should always publish an SPF record.

References

RFC 7208

Sender Policy Framework (SPF) for Authorizing Use of Domains in Email

RFC 7372

Email Auth Status Codes

Related: How to Set Up an SPF Record · DKIM Record · DMARC Record · MX Record · TXT Record · Free SPF Checker