SPF (Sender Policy Framework) specifies which mail servers are allowed to send email for your domain. Receiving servers check the SPF record to verify that incoming email comes from an authorized source.
The SPF record
An SPF record is a DNS TXT record published at yourdomain.com, starting with v=spf1.
Example:
v=spf1 include:_spf.google.com include:sendgrid.net -allMechanisms
| Mechanism | Purpose | Example |
|---|---|---|
ip4: | Allow a specific IPv4 address or range | ip4:192.0.2.1 |
ip6: | Allow a specific IPv6 address or range | ip6:2001:db8::1 |
include: | Include another domain's SPF record | include:_spf.google.com |
a | Allow the domain's A record IP | a |
mx | Allow the domain's MX record IPs | mx |
redirect= | Use another domain's SPF record entirely | redirect=otherdomain.com |
Qualifiers
The record ends with an all mechanism that defines the default action for senders not explicitly listed:
-all- Hard fail. Reject emails from unlisted senders.~all- Soft fail. Accept but mark as suspicious.?all- Neutral. No opinion on unlisted senders.
The 10-lookup limit
Every include, a, mx, and redirect mechanism requires a DNS lookup. SPF allows a maximum of 10 lookups. Exceeding this causes a permerror, which means SPF fails for all emails.
This limit is easy to hit when you use multiple email services (Google Workspace, SendGrid, Mailchimp, etc.), since each include can trigger nested lookups. Use SPF flattening to resolve IP addresses and reduce lookup count.
SPF alignment with DMARC
DMARC checks that the Return-Path domain (the domain checked by SPF) aligns with the From header domain. If these don't match, SPF passes but DMARC alignment fails for SPF. See DMARC alignment for details.
