It's a question that comes up surprisingly often, and getting it wrong can cause your emails to fail authentication. The short answer is that SPF record syntax uses spaces to separate its different parts, not semicolons.
This is a common point of confusion, mainly because another important email authentication record, DMARC, does use semicolons. Let's break down the correct syntax for SPF so you can be sure your record is set up correctly.
The structure of an SPF record
An SPF record is a simple string of text published in your domain's DNS as a TXT record. Every SPF record is made up of a few key components, all separated by spaces.
A valid SPF record always starts with v=spf1, which identifies it as an SPF version 1 record. Following this are a series of "mechanisms" and "qualifiers" that define which servers are authorized to send email on behalf of your domain. Each of these mechanisms is separated by a single space.
For example, a simple SPF record might look like this:
v=spf1 include:_spf.google.com include:sendgrid.net ~all
In this example, v=spf1, include:_spf.google.com, include:sendgrid.net, and ~all are all individual parts of the record, separated by spaces.
Where the confusion with semicolons comes from
The primary reason people mix this up is because of DMARC records. DMARC (Domain-based Message Authentication, Reporting, and Conformance) is another DNS-based email authentication standard that works with SPF and DKIM. However, DMARC records use semicolons to separate their tags.
A DMARC record looks something like this:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com
As you can see, each tag (like p=reject) is separated by a semicolon. It’s an easy mistake to apply this same logic to SPF, but it will cause your SPF record to be invalid.
Common SPF syntax errors
An incorrect character is just one of several common mistakes that can invalidate an SPF record. When you're creating or editing your record, be sure to avoid these pitfalls:
- Using commas or semicolons: As we've covered, only spaces should be used to separate mechanisms. As Unspam.email points out, you should not use commas and only one space between each part.
- Typos and extra characters: A simple typo, like writing incude instead of include, will break your record. AutoSPF lists typos and extra spaces as a common source of syntax errors.
- Incorrectly quoted strings: When you add the SPF record to your DNS as a TXT record, the entire string should be enclosed in double quotes. For example: "v=spf1 include:example.com ~all". Forgetting this can cause issues with how your DNS provider parses the spaces in the record.
- Multiple SPF records: A domain must not have more than one SPF record. If you need to authorize multiple services, you must add them all to a single record using space-separated include mechanisms.
To summarize, always use spaces to separate the mechanisms in your SPF record. Keep the semicolons for your DMARC record. Getting the syntax right is the first and most critical step to ensuring your emails authenticate correctly and reach the inbox.
