Glossary Guides

What Is SPF

Learn what SPF is, how it authorizes email senders, SPF pass/fail, the 10 lookup limit, and how SPF relates to DMARC.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 5 min read Beginner

Introduction

SPF helps prove outbound mail is authorized. It does not encrypt mail and does not replace DKIM or DMARC, but it is a core email authentication building block.

SPF is checked on the envelope sender (Return-Path), which may differ from the visible From address — important for DMARC alignment.

Quick answer

Quick answer

SPF (Sender Policy Framework) is a DNS TXT record that lists which mail servers may send email for your domain. Receiving servers check SPF against the Return-Path domain. Only one SPF record is allowed per domain, and SPF has a 10 DNS lookup limit.

What it means

SPF uses mechanisms like include, ip4, a, mx and a final all policy (~all or -all) to describe authorized senders.

  • Published as one TXT record starting with v=spf1
  • SPF pass means sending IP is authorized
  • SPF fail means sending IP is not in the record
  • Maximum 10 DNS lookups during SPF evaluation
  • Works with DMARC when SPF aligns with the From domain

Where you see this:

  • Google Workspace and Microsoft 365 email
  • Transactional providers (SendGrid, Mailgun, etc.)
  • Marketing and newsletter platforms
  • Website contact forms using SMTP providers
Example
example.com TXT "v=spf1 include:_spf.google.com include:sendgrid.net ~all"

Why this matters

Why this matters

Missing or broken SPF increases spoofing risk and spam folder placement. Duplicate SPF records or too many includes cause permerror and authentication failures.

How to check it

  1. Run SPF Checker on your sending domain.
  2. Confirm exactly one v=spf1 TXT record exists.
  3. Check lookup count stays under 10.
  4. Send test mail and read SPF result in Authentication-Results headers.
  5. Verify Return-Path domain matches where SPF is published.

Check SPF record

Use SPF Checker to see authorized senders, lookup count and SPF validation result.

Run SPF Check →

Common mistakes

Multiple SPF TXT records

High

More than one v=spf1 on a domain is invalid.

Next step: Merge into one SPF record and delete duplicates.

Missing sender provider in SPF

High

Mail sent through a service not listed in SPF fails.

Next step: Add the provider include from their documentation.

Too many DNS lookups

High

Nested includes exceed the 10 lookup limit.

Next step: Remove unused includes and simplify the record.

Old provider still in SPF

Medium

Unused includes add lookups and confusion.

Next step: Remove providers you no longer send through.

Using -all before testing

Medium

Hard fail rejects mail from any unlisted source immediately.

Next step: Use ~all while testing, then tighten when confident.

Example

SPF example
v=spf1 include:_spf.google.com include:sendgrid.net ~all

Replace includes with values from your actual email providers.

Frequently asked questions

Where is SPF published?

As a TXT record on the domain used in the Return-Path (envelope sender), usually the root domain.

What is the difference between ~all and -all?

~all is soft fail (suspicious but not always rejected). -all is hard fail (unauthorized senders should be rejected).

Does SPF fix spam folder issues alone?

No. DKIM, DMARC, reputation, content and infrastructure also matter.

Can I have two SPF records temporarily?

No. Receivers treat multiple SPF records as an error. Merge before publishing.

Use these free tools to verify your configuration after applying changes.

Browse all Glossary guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.