What is SPF?

SPF (Sender Policy Framework) is a TXT record at your domain that lists the servers allowed to send mail using your domain in the MAIL FROM address. Receivers compare the connecting server's IP against your list and use the result as one signal in their spam decision.

The 60-second version

You publish a single line at the apex of example.com like this:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

This says: Mail from Google's outbound servers OR SendGrid's outbound servers is authorized. Anything else, treat with suspicion (~all = softfail).

What the parts mean

• v=spf1 — version marker. Required, always first.
• include:domain.com — recursively trust whatever SPF that domain publishes. One DNS lookup.
• ip4:1.2.3.4 / ip6:::1 — explicit IP authorization. Zero lookups.
• a, mx — authorize the domain's A or MX records. One lookup each.
• ~all (softfail), -all (hardfail), ?all (neutral) — the terminating policy for everything else.

The trap nobody warns you about

RFC 7208 §4.6.4 caps SPF evaluation at 10 DNS lookups. Every include:, a, mx, ptr, exists, and redirect counts — including nested ones inside the includes. Hit 11 and receivers return PermError and ignore your record entirely. Most outages here are silent.

The SPF Checker counts your total live and warns when you're close.

SPF alone is not enough

SPF only checks the envelope sender (Return-Path), which receivers don't show users. Forwarding breaks it. To actually prevent spoofing of what users see in the From: header you need DMARC on top of SPF and DKIM.

Check a domain's SPF →