SPF
SPF stands for Sender Policy Framework. SPF is an email-authentication standard that lets domain owners specify which mail servers are authorized to send email on behalf of their domain. When a receiving server gets an email, it checks the sender’s domain’s SPF record (published in DNS) to verify that the sending server is on the approved list. SPF is one of the three core email-authentication standards alongside DKIM and DMARC; together they protect against spoofing and underpin modern email deliverability.
How SPF works
Four-step process:
1. Domain owner publishes an SPF record. A DNS TXT record listing authorized sending sources. Example: v=spf1 include:_spf.google.com include:mail.sendgrid.net ~all
2. Email arrives at the recipient’s mail server.
3. Server checks the SPF record. Does the sending server’s IP match an authorized source in the domain’s SPF record?
4. Server applies the policy. Pass (deliver normally), fail (reject or mark as suspicious), or soft-fail (deliver but mark).
SPF record components
Four common elements:
Mechanisms. ‘include:’, ‘a:’, ‘mx:’, ‘ip4:’ - ways to specify authorized sending sources.
Qualifiers. ‘+’ (pass), ‘-‘ (fail), ‘~’ (soft-fail), ‘?’ (neutral). Applied to each mechanism.
The ‘all’ directive. Usually at the end of the record. ‘~all’ (soft-fail anything else), ‘-all’ (hard-fail anything else).
Modifiers. ‘redirect=’ and ‘exp=’. Less commonly used.
Common SPF mistakes
Five failures:
Too many DNS lookups. SPF has a 10-DNS-lookup limit. Exceeding it invalidates the record. Common issue with multiple ‘include’ mechanisms.
Missing sending sources. A new email service added without updating SPF. Emails fail authentication.
Using -all when ~all is safer. Aggressive fail policy can reject legitimate emails sent from forgotten services. Start with ~all; move to -all after confidence.
Multiple SPF records on one domain. Only one TXT SPF record allowed per domain. Multiple records invalidate SPF entirely.
Forgetting subdomains. SPF records apply to the specific domain; subdomains need their own records or explicit inheritance.
SPF alone is insufficient
Three key limitations:
Forwarding breaks SPF. Emails forwarded through intermediate servers fail SPF because the forwarding server isn’t authorized.
SPF doesn’t verify the From header. The ‘from address users see isn’t what SPF checks. Sophisticated spoofers can pass SPF with a mismatched visible From address.
SPF alone isn’t enough for DMARC. DMARC requires SPF or DKIM to align with the From domain. SPF without DKIM is vulnerable.
This is why SPF + DKIM + DMARC are used together. Each covers weaknesses in the others.
Checking your SPF record
Four tools:
DNS lookup tools. ‘dig TXT yourdomain.com’ or web-based equivalents. Shows the raw SPF record.
SPF validators. Tools like mxtoolbox.com/spf.aspx validate syntax and DNS-lookup counts.
DMARC aggregate reports. Once DMARC is set up, reports show SPF pass/fail rates in the wild.
Your ESP’s deliverability tools. Most email-service providers check SPF configuration.
SPF and email platforms
Three common setups:
Single platform. SPF record includes just that platform. Simple.
Multiple platforms. SPF includes each - Google Workspace, ESP, transactional service. Watch the 10-lookup limit.
Subdomain segregation. Use subdomains for different sending types (mail.brand.com for marketing, transactional.brand.com for transactional). Each subdomain has its own SPF.
SPF in 2026
Three realities:
Table stakes for bulk senders. Gmail and Yahoo 2024 rules require SPF for senders over 5K emails/day. No SPF = delivery failures.
Not sufficient alone. SPF alone doesn’t clear DMARC or provide strong authentication. Must be paired with DKIM.
Still evolving. Extensions like ARC (Authenticated Received Chain) address SPF forwarding weaknesses. Adoption still mixed.
Common SPF troubleshooting
Four diagnostic steps for SPF issues:
Check DNS-lookup count. Use a tool to count. If over 10, consolidate.
Verify sending source is listed. When adding a new email tool, confirm its SPF include is added to the record.
Check for multiple SPF records. Only one TXT SPF record per domain. Remove duplicates.
Verify syntax. SPF syntax is strict. Small errors invalidate entire record.
Penfriend doesn’t directly require SPF configuration - we don’t send email from customer domains. But we write articles about email marketing and SPF is a topic readers often ask about. Clear, correct content on authentication topics supports customers whose email programmes depend on getting the technical fundamentals right.
Related terms
- DKIM - the companion authentication standard
- DMARC - the enforcement layer that uses SPF
- Deliverability - the outcome SPF protects
- Sender Reputation - the related deliverability foundation
- Email Marketing - the discipline SPF serves