Glossary/SPF (Sender Policy Framework)
Authentication

SPF (Sender Policy Framework)

A DNS record that lists which IP addresses and hosts are allowed to send email on behalf of a domain.

What is SPF?

SPF, or Sender Policy Framework, is a DNS-based authentication standard that tells receiving mail servers which IP addresses are permitted to send mail from a given domain. The domain owner publishes a TXT record listing approved senders, and the receiver checks the connecting IP against that list.

Why it matters

SPF is one of the oldest and simplest defenses against email spoofing, and it still gates delivery at nearly every major inbox provider. A broken or missing SPF record means your legitimate mail may be marked as spam, and it makes DMARC enforcement impossible. Infrastructure teams, marketers, and anyone who adds a new sending tool should update SPF as part of the onboarding checklist.

How it works

The domain owner publishes a TXT record at the apex of the sending domain listing approved mechanisms.

acme.io IN TXT "v=spf1 include:sendkit.email include:_spf.google.com ip4:203.0.113.5 -all"

When a receiving server accepts a message, it checks the envelope sender domain, fetches that domain's SPF record, and verifies that the connecting IP is authorized. A -all suffix means unauthorized senders should be rejected; ~all means soft-fail.

Examples

  • A company adding include:sendkit.email after switching its transactional provider
  • A team auditing SPF and discovering an old CRM still authorized from a previous migration
  • A marketer debugging a campaign that fails SPF because it exceeded the 10 DNS lookup limit

Best practices

  • Keep your SPF record under the 10 DNS lookup limit; flatten includes if necessary
  • Use -all in production once you are confident every sender is listed
  • Audit your SPF every quarter and remove services you no longer use
  • Publish SPF for both the sending domain and the envelope domain when they differ

FAQs

What is the 10 lookup limit?

SPF evaluation fails if more than 10 DNS lookups are required to resolve all includes and mechanisms. Too many include: entries is the most common cause of unexpected SPF failures.

Can I have multiple SPF records?

No. A domain must have exactly one SPF TXT record. Merge all mechanisms into a single record or the check will fail.

What happens if SPF fails but DKIM passes?

DMARC allows a message to pass if either SPF or DKIM aligns with the From domain. So a failed SPF alone does not automatically mean rejection.

Start sending in minutes.

3,000 emails/month on the free tier. No credit card, no commitment.

Google Sign up with GoogleApple Sign up with Apple

Still wondering?

See what your favorite LLM has to say about us, then make an informed decision.

Ask ChatGPTAsk ChatGPTAsk GeminiAsk GeminiAsk ClaudeAsk ClaudeAsk PerplexityAsk Perplexity