What Is SPF
Learn what SPF is, how it authorizes email senders, SPF pass/fail, the 10 lookup limit, and how SPF relates to DMARC.
Introduction
SPF helps prove outbound mail is authorized. It does not encrypt mail and does not replace DKIM or DMARC, but it is a core email authentication building block.
SPF is checked on the envelope sender (Return-Path), which may differ from the visible From address — important for DMARC alignment.
Quick answer
SPF (Sender Policy Framework) is a DNS TXT record that lists which mail servers may send email for your domain. Receiving servers check SPF against the Return-Path domain. Only one SPF record is allowed per domain, and SPF has a 10 DNS lookup limit.
What it means
SPF uses mechanisms like include, ip4, a, mx and a final all policy (~all or -all) to describe authorized senders.
- Published as one TXT record starting with v=spf1
- SPF pass means sending IP is authorized
- SPF fail means sending IP is not in the record
- Maximum 10 DNS lookups during SPF evaluation
- Works with DMARC when SPF aligns with the From domain
Where you see this:
- Google Workspace and Microsoft 365 email
- Transactional providers (SendGrid, Mailgun, etc.)
- Marketing and newsletter platforms
- Website contact forms using SMTP providers
example.com TXT "v=spf1 include:_spf.google.com include:sendgrid.net ~all"
Why this matters
Missing or broken SPF increases spoofing risk and spam folder placement. Duplicate SPF records or too many includes cause permerror and authentication failures.
How to check it
- Run SPF Checker on your sending domain.
- Confirm exactly one v=spf1 TXT record exists.
- Check lookup count stays under 10.
- Send test mail and read SPF result in Authentication-Results headers.
- Verify Return-Path domain matches where SPF is published.
Check SPF record
Use SPF Checker to see authorized senders, lookup count and SPF validation result.
Common mistakes
Multiple SPF TXT records
HighMore than one v=spf1 on a domain is invalid.
Next step: Merge into one SPF record and delete duplicates.
Missing sender provider in SPF
HighMail sent through a service not listed in SPF fails.
Next step: Add the provider include from their documentation.
Too many DNS lookups
HighNested includes exceed the 10 lookup limit.
Next step: Remove unused includes and simplify the record.
Old provider still in SPF
MediumUnused includes add lookups and confusion.
Next step: Remove providers you no longer send through.
Using -all before testing
MediumHard fail rejects mail from any unlisted source immediately.
Next step: Use ~all while testing, then tighten when confident.
Example
v=spf1 include:_spf.google.com include:sendgrid.net ~all
Replace includes with values from your actual email providers.
Frequently asked questions
Where is SPF published?
As a TXT record on the domain used in the Return-Path (envelope sender), usually the root domain.
What is the difference between ~all and -all?
~all is soft fail (suspicious but not always rejected). -all is hard fail (unauthorized senders should be rejected).
Does SPF fix spam folder issues alone?
No. DKIM, DMARC, reputation, content and infrastructure also matter.
Can I have two SPF records temporarily?
No. Receivers treat multiple SPF records as an error. Merge before publishing.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Glossary guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!