SPF Qualifiers and Mechanisms Explained
Learn what SPF mechanisms and qualifiers mean, how include, ip4, ip6, a, mx, redirect and all work, and how to avoid risky SPF configurations.
Introduction
SPF records use mechanisms and qualifiers to describe which servers are allowed to send email for a domain. If you can read these parts, it becomes much easier to understand whether an SPF record is correct, too broad, too strict or likely to fail.
This guide explains the most common SPF mechanisms, what qualifiers like ~all and -all mean, and which parts of an SPF record can increase DNS lookup count or cause validation problems.
Quick answer
SPF mechanisms define which senders are allowed, such as include, ip4, ip6, a and mx. SPF qualifiers define the result when a mechanism matches, such as pass, fail, soft fail or neutral. Most SPF records end with an all mechanism, commonly ~all or -all.
Mechanisms and qualifiers
An SPF record is made of mechanisms, optional qualifiers and modifiers.
v=spf1 include:_spf.google.com ip4:192.0.2.10 ~all
- include:_spf.google.com is a mechanism
- ip4:192.0.2.10 is a mechanism
- ~all is the final all mechanism with a softfail qualifier
Mechanisms describe what should match. Qualifiers describe what result should be returned when there is a match.
SPF qualifiers
| Qualifier | Result | Meaning | Common use |
|---|---|---|---|
| + | Pass | The sender is allowed. | Usually implicit. Most mechanisms behave as + if no qualifier is written. |
| - | Fail | The sender is not allowed. | Used in -all for strict SPF policies. |
| ~ | Soft fail | The sender is probably not allowed, but the message is not always rejected. | Used in ~all during setup or moderate enforcement. |
| ? | Neutral | No clear authorization decision. | Rarely useful for strong authentication. |
If no qualifier is specified, SPF treats the mechanism as if it has a + qualifier.
Common mechanisms
include
Allows another domain’s SPF policy. Example: include:_spf.google.com. Common for Google Workspace, Microsoft 365, CRMs and email platforms. Counts toward DNS lookup limit.
ip4
Allows an IPv4 address or range. Example: ip4:192.0.2.10. Useful for known sending IPs. Does not add DNS lookups.
ip6
Allows an IPv6 address or range. Example: ip6:2001:db8::10. Used for IPv6 sending infrastructure.
a
Allows IP addresses from the domain’s A or AAAA records. Example: a. Can be useful but may be too broad. Counts toward DNS lookup limit.
mx
Allows IP addresses of the domain’s MX hosts. Example: mx. Only useful if the mail exchanger also sends email. Counts toward DNS lookup limit.
all
Matches everything not already matched. Example: ~all. Usually appears at the end of the SPF record.
Redirect and exp
SPF also supports modifiers. The most common one is redirect.
redirect
Redirects SPF evaluation to another domain’s SPF policy. Example: v=spf1 redirect=_spf.example.net. Useful when one central SPF policy should control multiple domains.
exp
Provides an explanation string for SPF failures. Example: exp=explain.example.com. Rarely used in modern basic SPF setups.
Do not use redirect together with normal mechanisms unless you understand the behavior.
Most simple SPF records do not need exp.
DNS lookup impact
Some SPF mechanisms require DNS lookups during evaluation. SPF has a limit of 10 DNS lookups.
Lookup impact
Which mechanisms affect SPF’s 10 DNS lookup limit.
| Mechanism type | DNS lookups |
|---|---|
| include | Counts toward lookup limit |
| a | Counts toward lookup limit |
| mx | Counts toward lookup limit |
| exists | Counts toward lookup limit |
| redirect | Counts toward lookup limit |
| ip4 | Usually does not count |
| ip6 | Usually does not count |
| all | Usually does not count |
Too many includes or unnecessary a/mx mechanisms can cause SPF to fail with a permanent error.
Why this matters
SPF mechanisms and qualifiers matter because a record can be syntactically valid but still risky or ineffective. For example, +all allows every sender, too many include mechanisms can break SPF, and a strict -all policy can fail legitimate mail if not all senders are included.
Understanding mechanisms helps you clean up SPF records instead of copying provider values blindly.
How to check mechanisms
Use the SPF Checker to inspect the SPF record, mechanisms, qualifiers, DNS lookup count and final policy.
When checking SPF mechanisms, review
These five checks help you read an SPF record correctly.
Allowed senders
Which providers, IPs or hosts are allowed?
Mechanisms used
Does the record use include, ip4, ip6, a, mx, redirect or exists?
DNS lookup count
Does the record stay within SPF’s 10 DNS lookup limit?
Final all policy
Does the record end with ~all, -all, ?all or +all?
Old providers
Are unused senders still included?
Check SPF mechanisms now
Use SPF Checker to inspect mechanisms, qualifiers and lookup count.
Common problems
+all allows everyone
High+all means every sender passes SPF, which defeats the purpose of sender authorization.
Next step: Replace +all with ~all or -all after reviewing real senders.
Too many include mechanisms
MediumEach include can add DNS lookups and may cause SPF to exceed the 10 lookup limit.
Next step: Remove unused providers and simplify the record.
Unnecessary mx mechanism
Mediummx allows mail exchanger IPs to send email, but this is not always needed.
Next step: Use mx only if your MX hosts actually send outbound mail.
Unnecessary a mechanism
Mediuma allows the domain’s website IP to send mail, which may be wrong if the website server does not send email.
Next step: Remove a unless the web server legitimately sends mail.
Wrong final policy
MediumA strict -all may reject legitimate senders if the record is incomplete, while ?all gives weak guidance.
Next step: Use ~all during setup and move to -all only when confident.
redirect used incorrectly
Mediumredirect changes SPF evaluation to another domain and can be misunderstood.
Next step: Use redirect only when you intentionally manage SPF centrally.
Old provider include remains
MediumAn unused provider still appears in SPF, increasing risk and lookup count.
Next step: Remove old includes after confirming they no longer send mail.
How to clean up SPF
-
Step 1: List real senders
Identify every service that sends email for the domain, including mailbox provider, website forms, CRM, billing, marketing and transactional email services.
-
Step 2: Match each sender to a mechanism
Use include for provider-managed sending services, ip4/ip6 for fixed sending IPs, and avoid a or mx unless they are truly needed.
-
Step 3: Remove unused mechanisms
Delete old includes, unnecessary a/mx mechanisms and unused IPs.
-
Step 4: Check lookup count
Make sure include, a, mx, exists and redirect do not exceed SPF’s 10 DNS lookup limit.
-
Step 5: Choose a final policy
Use ~all while testing or when unsure. Use -all only after confirming all legitimate senders are included.
-
Step 6: Validate the record
Run the SPF Checker and review syntax, mechanisms, qualifiers and lookup count.
SPF mechanism examples
v=spf1 include:_spf.google.com ~all
v=spf1 ip4:192.0.2.10 ~all
v=spf1 ip6:2001:db8::10 ~all
v=spf1 include:_spf.google.com ip4:192.0.2.10 ~all
v=spf1 +all
v=spf1 include:provider1.example include:provider2.example include:provider3.example mx a ~all
dig example.com TXT
dig +short example.com TXT
These examples are illustrative. Use only mechanisms that match your real sending setup.
Final policy
The final all mechanism decides what happens to senders that did not match any allowed mechanism.
~all
Good for setup and moderate enforcement.
-all
Good for strict enforcement after all senders are confirmed.
?all
Neutral and usually weak for sender authorization.
+all
Not recommended because it allows everyone.
Do not move to -all until you are confident that SPF includes all legitimate senders and DMARC alignment is understood.
Frequently asked questions
What is an SPF mechanism?
A mechanism is part of an SPF record that defines what senders are allowed, such as include, ip4, ip6, a or mx.
What is an SPF qualifier?
A qualifier defines the result when a mechanism matches. Common qualifiers are +, -, ~ and ?.
What does ~all mean?
~all means soft fail. It tells receivers that unlisted senders are probably not authorized.
What does -all mean?
-all means fail. It tells receivers that unlisted senders are not authorized.
Is +all bad?
Usually yes. +all allows every sender and weakens SPF protection.
Which SPF mechanisms count toward the 10 lookup limit?
include, a, mx, exists and redirect count toward the lookup limit. ip4, ip6 and all usually do not.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Email Authentication guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!