Email Glossary

SPF (Sender Policy Framework)

SPF (Sender Policy Framework) is an email authentication protocol that allows domain owners to specify which mail servers are authorized to send email on behalf of their domain. It helps prevent email spoofing and improves deliverability.

How SPF Works

When an email arrives at a receiving mail server, the server checks the SPF record for the sender's domain. The SPF record is a TXT record in your DNS that lists all IP addresses and domains authorized to send email for your domain.

The receiving server compares the sending IP against this list. If the IP is authorized, the email passes SPF. If not, the email may be marked as spam or rejected, depending on the domain's DMARC policy.

SPF Record Syntax

An SPF record starts with v=spf1 and includes mechanisms that define authorized senders:

v=spf1 include:_spf.google.com include:amazonses.com -all

Common mechanisms:

  • include: - Authorize another domain's SPF record
  • ip4: - Authorize a specific IPv4 address or range
  • ip6: - Authorize a specific IPv6 address or range
  • a - Authorize the domain's A record IPs
  • mx - Authorize the domain's mail servers
  • -all - Reject all other sources (hard fail)
  • ~all - Soft fail other sources (mark as suspicious)

SPF Limitations

SPF has a 10 DNS lookup limit. Exceeding this causes SPF to fail. This becomes problematic when using multiple email services, as each include: statement counts as a lookup.

SPF also doesn't survive forwarding, when an email is forwarded, the forwarding server's IP may not be in the original domain's SPF record.

That's why SPF works best in combination with DKIM and DMARC for comprehensive email authentication.

Best Practices

  • Start with soft fail (~all) while testing, then switch to hard fail (-all)
  • Include all sending sources - Email service providers, CRM, support tools, etc.
  • Monitor for lookup limit - Use SPF flattening if needed
  • Audit regularly - Remove services you no longer use
  • Use with DKIM and DMARC - SPF alone isn't enough for full protection

Related Tools

DNS Checker

Related Terms

DKIM (DomainKeys Identified Mail)

Adds a digital signature to emails proving they haven't been tampered with.

DMARC (Domain-based Message Authentication)

Tells email receivers how to handle messages that fail SPF or DKIM checks.

Email Deliverability

The ability of your emails to reach recipients' inboxes instead of spam.

DNS Records for Email

Domain settings that control email routing and authentication (MX, SPF, DKIM, DMARC).

Frequently Asked Questions

What happens if I don't have SPF?
Without SPF, receiving servers have no way to verify if an email legitimately came from your domain. This makes it easier for spammers to spoof your domain and can hurt your deliverability as ISPs become more suspicious of unauthenticated emails.
Can I have multiple SPF records?
No. You can only have one SPF record per domain. If you have multiple SPF records, receiving servers may fail to validate any of them. Combine all your authorized senders into a single SPF record.
What's the difference between -all and ~all?
-all (hard fail) tells receivers to reject emails from unauthorized sources. ~all (soft fail) marks them as suspicious but still delivers them. Start with ~all while setting up, then switch to -all once you're confident all legitimate sources are included.
Get started in minutes

Need help with email deliverability?

Transmit handles authentication, warmup, and reputation isolation automatically.