SPF Qualifiers and Mechanisms Explained

Learn what SPF mechanisms and qualifiers mean, how include, ip4, ip6, a, mx, redirect and all work, and how to avoid risky SPF configurations.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 8 min read Beginner

Introduction

SPF records use mechanisms and qualifiers to describe which servers are allowed to send email for a domain. If you can read these parts, it becomes much easier to understand whether an SPF record is correct, too broad, too strict or likely to fail.

This guide explains the most common SPF mechanisms, what qualifiers like ~all and -all mean, and which parts of an SPF record can increase DNS lookup count or cause validation problems.

Quick answer

Quick answer

SPF mechanisms define which senders are allowed, such as include, ip4, ip6, a and mx. SPF qualifiers define the result when a mechanism matches, such as pass, fail, soft fail or neutral. Most SPF records end with an all mechanism, commonly ~all or -all.

Mechanisms and qualifiers

An SPF record is made of mechanisms, optional qualifiers and modifiers.

Example
v=spf1 include:_spf.google.com ip4:192.0.2.10 ~all
  • include:_spf.google.com is a mechanism
  • ip4:192.0.2.10 is a mechanism
  • ~all is the final all mechanism with a softfail qualifier

Mechanisms describe what should match. Qualifiers describe what result should be returned when there is a match.

SPF qualifiers

QualifierResultMeaningCommon use
+ Pass The sender is allowed. Usually implicit. Most mechanisms behave as + if no qualifier is written.
- Fail The sender is not allowed. Used in -all for strict SPF policies.
~ Soft fail The sender is probably not allowed, but the message is not always rejected. Used in ~all during setup or moderate enforcement.
? Neutral No clear authorization decision. Rarely useful for strong authentication.

If no qualifier is specified, SPF treats the mechanism as if it has a + qualifier.

Common mechanisms

include

Allows another domain’s SPF policy. Example: include:_spf.google.com. Common for Google Workspace, Microsoft 365, CRMs and email platforms. Counts toward DNS lookup limit.

ip4

Allows an IPv4 address or range. Example: ip4:192.0.2.10. Useful for known sending IPs. Does not add DNS lookups.

ip6

Allows an IPv6 address or range. Example: ip6:2001:db8::10. Used for IPv6 sending infrastructure.

a

Allows IP addresses from the domain’s A or AAAA records. Example: a. Can be useful but may be too broad. Counts toward DNS lookup limit.

mx

Allows IP addresses of the domain’s MX hosts. Example: mx. Only useful if the mail exchanger also sends email. Counts toward DNS lookup limit.

all

Matches everything not already matched. Example: ~all. Usually appears at the end of the SPF record.

Redirect and exp

SPF also supports modifiers. The most common one is redirect.

redirect

Redirects SPF evaluation to another domain’s SPF policy. Example: v=spf1 redirect=_spf.example.net. Useful when one central SPF policy should control multiple domains.

exp

Provides an explanation string for SPF failures. Example: exp=explain.example.com. Rarely used in modern basic SPF setups.

Do not use redirect together with normal mechanisms unless you understand the behavior.

Most simple SPF records do not need exp.

DNS lookup impact

Some SPF mechanisms require DNS lookups during evaluation. SPF has a limit of 10 DNS lookups.

Lookup impact

Which mechanisms affect SPF’s 10 DNS lookup limit.

Mechanism type DNS lookups
include Counts toward lookup limit
a Counts toward lookup limit
mx Counts toward lookup limit
exists Counts toward lookup limit
redirect Counts toward lookup limit
ip4 Usually does not count
ip6 Usually does not count
all Usually does not count

Too many includes or unnecessary a/mx mechanisms can cause SPF to fail with a permanent error.

Why this matters

Why this matters

SPF mechanisms and qualifiers matter because a record can be syntactically valid but still risky or ineffective. For example, +all allows every sender, too many include mechanisms can break SPF, and a strict -all policy can fail legitimate mail if not all senders are included.

Understanding mechanisms helps you clean up SPF records instead of copying provider values blindly.

How to check mechanisms

Use the SPF Checker to inspect the SPF record, mechanisms, qualifiers, DNS lookup count and final policy.

When checking SPF mechanisms, review

These five checks help you read an SPF record correctly.

Allowed senders

Which providers, IPs or hosts are allowed?

Mechanisms used

Does the record use include, ip4, ip6, a, mx, redirect or exists?

DNS lookup count

Does the record stay within SPF’s 10 DNS lookup limit?

Final all policy

Does the record end with ~all, -all, ?all or +all?

Old providers

Are unused senders still included?

Check SPF mechanisms now

Use SPF Checker to inspect mechanisms, qualifiers and lookup count.

Run SPF Check →

Common problems

+all allows everyone

High

+all means every sender passes SPF, which defeats the purpose of sender authorization.

Next step: Replace +all with ~all or -all after reviewing real senders.

Too many include mechanisms

Medium

Each include can add DNS lookups and may cause SPF to exceed the 10 lookup limit.

Next step: Remove unused providers and simplify the record.

Unnecessary mx mechanism

Medium

mx allows mail exchanger IPs to send email, but this is not always needed.

Next step: Use mx only if your MX hosts actually send outbound mail.

Unnecessary a mechanism

Medium

a allows the domain’s website IP to send mail, which may be wrong if the website server does not send email.

Next step: Remove a unless the web server legitimately sends mail.

Wrong final policy

Medium

A strict -all may reject legitimate senders if the record is incomplete, while ?all gives weak guidance.

Next step: Use ~all during setup and move to -all only when confident.

redirect used incorrectly

Medium

redirect changes SPF evaluation to another domain and can be misunderstood.

Next step: Use redirect only when you intentionally manage SPF centrally.

Old provider include remains

Medium

An unused provider still appears in SPF, increasing risk and lookup count.

Next step: Remove old includes after confirming they no longer send mail.

How to clean up SPF

  1. Step 1: List real senders

    Identify every service that sends email for the domain, including mailbox provider, website forms, CRM, billing, marketing and transactional email services.

  2. Step 2: Match each sender to a mechanism

    Use include for provider-managed sending services, ip4/ip6 for fixed sending IPs, and avoid a or mx unless they are truly needed.

  3. Step 3: Remove unused mechanisms

    Delete old includes, unnecessary a/mx mechanisms and unused IPs.

  4. Step 4: Check lookup count

    Make sure include, a, mx, exists and redirect do not exceed SPF’s 10 DNS lookup limit.

  5. Step 5: Choose a final policy

    Use ~all while testing or when unsure. Use -all only after confirming all legitimate senders are included.

  6. Step 6: Validate the record

    Run the SPF Checker and review syntax, mechanisms, qualifiers and lookup count.

SPF mechanism examples

Provider include
v=spf1 include:_spf.google.com ~all
Fixed IPv4 sender
v=spf1 ip4:192.0.2.10 ~all
Fixed IPv6 sender
v=spf1 ip6:2001:db8::10 ~all
Provider plus fixed IP
v=spf1 include:_spf.google.com ip4:192.0.2.10 ~all
Risky example
v=spf1 +all
Lookup-heavy example
v=spf1 include:provider1.example include:provider2.example include:provider3.example mx a ~all
Check commands
dig example.com TXT
dig +short example.com TXT

These examples are illustrative. Use only mechanisms that match your real sending setup.

Final policy

The final all mechanism decides what happens to senders that did not match any allowed mechanism.

~all

Good for setup and moderate enforcement.

-all

Good for strict enforcement after all senders are confirmed.

?all

Neutral and usually weak for sender authorization.

+all

Not recommended because it allows everyone.

Do not move to -all until you are confident that SPF includes all legitimate senders and DMARC alignment is understood.

Frequently asked questions

What is an SPF mechanism?

A mechanism is part of an SPF record that defines what senders are allowed, such as include, ip4, ip6, a or mx.

What is an SPF qualifier?

A qualifier defines the result when a mechanism matches. Common qualifiers are +, -, ~ and ?.

What does ~all mean?

~all means soft fail. It tells receivers that unlisted senders are probably not authorized.

What does -all mean?

-all means fail. It tells receivers that unlisted senders are not authorized.

Is +all bad?

Usually yes. +all allows every sender and weakens SPF protection.

Which SPF mechanisms count toward the 10 lookup limit?

include, a, mx, exists and redirect count toward the lookup limit. ip4, ip6 and all usually do not.

Use these free tools to verify your configuration after applying changes.

Browse all Email Authentication guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.