SPF Basics: Defining Authorized Senders

Learn what SPF is, how it defines which servers may send email for your domain, how to read SPF records, and how to avoid common SPF mistakes.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 7 min read Beginner

Introduction

SPF, or Sender Policy Framework, is an email authentication record that lists which mail servers are allowed to send email for a domain. Receiving mail servers can check SPF to see whether a message came from an authorized sending source.

SPF is commonly used with services such as Google Workspace, Microsoft 365, website contact forms, transactional email platforms, CRMs and marketing tools. A missing or broken SPF record can reduce email trust, but SPF should be used together with DKIM and DMARC for a stronger email authentication setup.

Quick answer

Quick answer

SPF is a DNS TXT record that tells receiving mail servers which IP addresses or providers are allowed to send email for your domain. A basic SPF record starts with v=spf1 and ends with a policy such as ~all or -all. A domain should normally publish only one SPF record.

What is SPF?

SPF stands for Sender Policy Framework. It is published as a TXT record in DNS and is checked by receiving mail servers during email delivery.

Example
example.com TXT "v=spf1 include:_spf.google.com ~all"

This example says that Google’s SPF include is allowed to send email for the domain, and other senders should be treated as a soft fail.

SPF does not verify the visible From name by itself. SPF is checked against the envelope sender / Return-Path domain used during mail delivery. DMARC is what connects SPF and DKIM alignment to the visible From domain.

How SPF works

  1. A mail server receives a message.
  2. It checks the domain used in the envelope sender / Return-Path.
  3. It looks up the SPF TXT record for that domain.
  4. It checks whether the sending IP or provider is allowed.
  5. It returns a result such as pass, fail, softfail, neutral or none.

SPF is only one signal. Receiving providers may also consider DKIM, DMARC, reputation, content, user engagement and other checks.

SPF record parts

v=spf1

Identifies the TXT record as an SPF record.

include

Allows another provider’s SPF policy.

include:_spf.google.com

ip4

Allows a specific IPv4 address or range.

ip4:192.0.2.10

ip6

Allows a specific IPv6 address or range.

ip6:2001:db8::10

a

Allows the IP address returned by the domain’s A/AAAA record.

mx

Allows the IP addresses of the domain’s MX hosts.

~all

Soft fail. Mail from unlisted senders should be treated with suspicion, but not always rejected.

-all

Hard fail. Mail from unlisted senders should fail SPF.

Do not add mechanisms unless they match real sending sources.

Common SPF examples

Google Workspace example
v=spf1 include:_spf.google.com ~all
Microsoft 365 example
v=spf1 include:spf.protection.outlook.com ~all
Single sending IP example
v=spf1 ip4:192.0.2.10 ~all
Multiple providers example
v=spf1 include:_spf.google.com include:mailservice.example ~all
SPF TXT record example
v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all

This example allows Google Workspace and Microsoft 365 style includes, but it is only illustrative. Do not publish it unless both providers are actually used to send mail for your domain.

Check commands
dig example.com TXT
dig +short example.com TXT

These are examples only. Use the SPF values provided by your actual email, hosting, CRM, marketing or transactional email provider.

Why this matters

Why this matters

SPF matters because it helps receiving mail servers identify whether a message was sent from an authorized source. A missing or invalid SPF record can reduce trust, especially for business domains that send email from multiple services.

SPF does not guarantee inbox placement. It should be combined with DKIM, DMARC, clean sending practices and good domain reputation.

How to check SPF

Use the SPF Checker to inspect your domain’s SPF TXT record, syntax, mechanisms and DNS lookup count.

When checking SPF, review

These five checks help you confirm whether SPF is configured correctly.

SPF record exists

The domain should publish an SPF TXT record if it sends email.

Only one SPF record

Multiple SPF records can cause SPF validation failures.

Sending providers

The record should include all real sending services and remove old ones.

DNS lookup count

SPF should stay within the 10 DNS lookup limit.

Final policy

Review whether ~all or -all is appropriate for your setup.

Check SPF now

Use SPF Checker to validate your SPF record, mechanisms and lookup count.

Run SPF Check →

Common SPF problems

SPF record missing

High

The domain does not publish an SPF TXT record.

Next step: Create an SPF record that includes your real sending providers.

Multiple SPF records

High

A domain should normally have only one SPF record. Multiple SPF records can cause SPF validation to fail.

Next step: Merge all allowed senders into one SPF record.

SPF has too many DNS lookups

Medium

SPF can fail if mechanisms like include, a, mx, redirect or exists exceed the 10 DNS lookup limit.

Next step: Remove unused includes or use your provider’s recommended SPF record.

Old provider still included

Medium

The SPF record includes a service that no longer sends mail for the domain.

Next step: Remove outdated providers after confirming they are no longer used.

Missing provider include

High

A real sending service is not included in SPF, so messages from that service may fail SPF.

Next step: Add the provider’s official SPF include or IP range.

Wrong use of -all

Medium

A strict hard-fail policy can cause legitimate mail to fail if not all senders are included.

Next step: Use -all only when you are confident the SPF record covers all sending sources.

SPF record added at wrong hostname

Medium

The SPF record may be added under the wrong domain or subdomain.

Next step: Add SPF at the domain used by the envelope sender / Return-Path.

How to fix SPF

  1. Step 1: List your sending services

    Identify all services that send mail for your domain, such as Google Workspace, Microsoft 365, hosting mail, CRM, marketing tools, transactional mail platforms and website forms.

  2. Step 2: Collect provider SPF values

    Use the official SPF include or IP values from each provider. Do not guess.

  3. Step 3: Merge into one SPF record

    A domain should normally publish one SPF record. Combine authorized senders into a single TXT record.

  4. Step 4: Choose the final policy

    Use ~all while testing or when you are not fully sure all senders are covered. Use -all only after confirming all legitimate senders are included.

  5. Step 5: Publish in DNS

    Add or update the SPF TXT record at the active DNS provider.

  6. Step 6: Check lookup count and syntax

    Run the SPF Checker to confirm syntax, mechanisms and the 10 DNS lookup limit.

  7. Step 7: Review with DKIM and DMARC

    SPF is stronger when DKIM and DMARC are also configured correctly.

SPF, DKIM and DMARC

SPF

Defines which servers may send email for a domain.

DKIM

Adds a cryptographic signature to outgoing email.

DMARC

Uses SPF and DKIM alignment to tell receivers how to handle unauthenticated email.

SPF alone is not enough for a complete email authentication setup. Domains that send business email should also configure DKIM and DMARC.

Frequently asked questions

Is SPF required for email delivery?

SPF is not the only requirement, but most email providers expect sending domains to have SPF configured. Missing or broken SPF can reduce trust.

Can a domain have multiple SPF records?

No. A domain should normally publish only one SPF record. Multiple SPF records can cause validation failures.

What happens if SPF has too many DNS lookups?

SPF can fail with a permerror if it exceeds the 10 DNS lookup limit.

Should I use ~all or -all?

Use ~all while testing or when you are not fully sure all senders are covered. Use -all only when your SPF record is complete and well tested.

Does SPF replace DKIM or DMARC?

No. SPF, DKIM and DMARC solve related but different parts of email authentication.

Why does SPF pass but DMARC fail?

SPF can pass but still fail DMARC alignment if the authenticated SPF domain does not align with the visible From domain.

Use these free tools to verify your configuration after applying changes.

Browse all Email Authentication guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.