SPF Basics: Defining Authorized Senders
Learn what SPF is, how it defines which servers may send email for your domain, how to read SPF records, and how to avoid common SPF mistakes.
Introduction
SPF, or Sender Policy Framework, is an email authentication record that lists which mail servers are allowed to send email for a domain. Receiving mail servers can check SPF to see whether a message came from an authorized sending source.
SPF is commonly used with services such as Google Workspace, Microsoft 365, website contact forms, transactional email platforms, CRMs and marketing tools. A missing or broken SPF record can reduce email trust, but SPF should be used together with DKIM and DMARC for a stronger email authentication setup.
Quick answer
SPF is a DNS TXT record that tells receiving mail servers which IP addresses or providers are allowed to send email for your domain. A basic SPF record starts with v=spf1 and ends with a policy such as ~all or -all. A domain should normally publish only one SPF record.
What is SPF?
SPF stands for Sender Policy Framework. It is published as a TXT record in DNS and is checked by receiving mail servers during email delivery.
example.com TXT "v=spf1 include:_spf.google.com ~all"
This example says that Google’s SPF include is allowed to send email for the domain, and other senders should be treated as a soft fail.
SPF does not verify the visible From name by itself. SPF is checked against the envelope sender / Return-Path domain used during mail delivery. DMARC is what connects SPF and DKIM alignment to the visible From domain.
How SPF works
- A mail server receives a message.
- It checks the domain used in the envelope sender / Return-Path.
- It looks up the SPF TXT record for that domain.
- It checks whether the sending IP or provider is allowed.
- It returns a result such as pass, fail, softfail, neutral or none.
SPF is only one signal. Receiving providers may also consider DKIM, DMARC, reputation, content, user engagement and other checks.
SPF record parts
v=spf1
Identifies the TXT record as an SPF record.
include
Allows another provider’s SPF policy.
include:_spf.google.com
ip4
Allows a specific IPv4 address or range.
ip4:192.0.2.10
ip6
Allows a specific IPv6 address or range.
ip6:2001:db8::10
a
Allows the IP address returned by the domain’s A/AAAA record.
mx
Allows the IP addresses of the domain’s MX hosts.
~all
Soft fail. Mail from unlisted senders should be treated with suspicion, but not always rejected.
-all
Hard fail. Mail from unlisted senders should fail SPF.
Do not add mechanisms unless they match real sending sources.
Common SPF examples
v=spf1 include:_spf.google.com ~all
v=spf1 include:spf.protection.outlook.com ~all
v=spf1 ip4:192.0.2.10 ~all
v=spf1 include:_spf.google.com include:mailservice.example ~all
v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all
This example allows Google Workspace and Microsoft 365 style includes, but it is only illustrative. Do not publish it unless both providers are actually used to send mail for your domain.
dig example.com TXT
dig +short example.com TXT
These are examples only. Use the SPF values provided by your actual email, hosting, CRM, marketing or transactional email provider.
Why this matters
SPF matters because it helps receiving mail servers identify whether a message was sent from an authorized source. A missing or invalid SPF record can reduce trust, especially for business domains that send email from multiple services.
SPF does not guarantee inbox placement. It should be combined with DKIM, DMARC, clean sending practices and good domain reputation.
How to check SPF
Use the SPF Checker to inspect your domain’s SPF TXT record, syntax, mechanisms and DNS lookup count.
When checking SPF, review
These five checks help you confirm whether SPF is configured correctly.
SPF record exists
The domain should publish an SPF TXT record if it sends email.
Only one SPF record
Multiple SPF records can cause SPF validation failures.
Sending providers
The record should include all real sending services and remove old ones.
DNS lookup count
SPF should stay within the 10 DNS lookup limit.
Final policy
Review whether ~all or -all is appropriate for your setup.
Check SPF now
Use SPF Checker to validate your SPF record, mechanisms and lookup count.
Common SPF problems
SPF record missing
HighThe domain does not publish an SPF TXT record.
Next step: Create an SPF record that includes your real sending providers.
Multiple SPF records
HighA domain should normally have only one SPF record. Multiple SPF records can cause SPF validation to fail.
Next step: Merge all allowed senders into one SPF record.
SPF has too many DNS lookups
MediumSPF can fail if mechanisms like include, a, mx, redirect or exists exceed the 10 DNS lookup limit.
Next step: Remove unused includes or use your provider’s recommended SPF record.
Old provider still included
MediumThe SPF record includes a service that no longer sends mail for the domain.
Next step: Remove outdated providers after confirming they are no longer used.
Missing provider include
HighA real sending service is not included in SPF, so messages from that service may fail SPF.
Next step: Add the provider’s official SPF include or IP range.
Wrong use of -all
MediumA strict hard-fail policy can cause legitimate mail to fail if not all senders are included.
Next step: Use -all only when you are confident the SPF record covers all sending sources.
SPF record added at wrong hostname
MediumThe SPF record may be added under the wrong domain or subdomain.
Next step: Add SPF at the domain used by the envelope sender / Return-Path.
How to fix SPF
-
Step 1: List your sending services
Identify all services that send mail for your domain, such as Google Workspace, Microsoft 365, hosting mail, CRM, marketing tools, transactional mail platforms and website forms.
-
Step 2: Collect provider SPF values
Use the official SPF include or IP values from each provider. Do not guess.
-
Step 3: Merge into one SPF record
A domain should normally publish one SPF record. Combine authorized senders into a single TXT record.
-
Step 4: Choose the final policy
Use ~all while testing or when you are not fully sure all senders are covered. Use -all only after confirming all legitimate senders are included.
-
Step 5: Publish in DNS
Add or update the SPF TXT record at the active DNS provider.
-
Step 6: Check lookup count and syntax
Run the SPF Checker to confirm syntax, mechanisms and the 10 DNS lookup limit.
-
Step 7: Review with DKIM and DMARC
SPF is stronger when DKIM and DMARC are also configured correctly.
SPF, DKIM and DMARC
SPF
Defines which servers may send email for a domain.
DKIM
Adds a cryptographic signature to outgoing email.
DMARC
Uses SPF and DKIM alignment to tell receivers how to handle unauthenticated email.
SPF alone is not enough for a complete email authentication setup. Domains that send business email should also configure DKIM and DMARC.
Frequently asked questions
Is SPF required for email delivery?
SPF is not the only requirement, but most email providers expect sending domains to have SPF configured. Missing or broken SPF can reduce trust.
Can a domain have multiple SPF records?
No. A domain should normally publish only one SPF record. Multiple SPF records can cause validation failures.
What happens if SPF has too many DNS lookups?
SPF can fail with a permerror if it exceeds the 10 DNS lookup limit.
Should I use ~all or -all?
Use ~all while testing or when you are not fully sure all senders are covered. Use -all only when your SPF record is complete and well tested.
Does SPF replace DKIM or DMARC?
No. SPF, DKIM and DMARC solve related but different parts of email authentication.
Why does SPF pass but DMARC fail?
SPF can pass but still fail DMARC alignment if the authenticated SPF domain does not align with the visible From domain.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Email Authentication guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!