Glossary · 3 min read

What Is an SPF Record?

Understand SPF records, how they authorize email senders, the TXT record format, and how receivers evaluate SPF results including pass, fail, and softfail.

What Is an SPF Record?

An SPF (Sender Policy Framework) record is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of a domain. Defined in RFC 7208, SPF helps receiving mail servers detect forged sender addresses and is a foundational layer of email authentication alongside DKIM and DMARC.

How SPF Works

When a mail server receives a message claiming to be from [email protected], it performs an SPF check:

  1. The receiving server extracts the domain from the SMTP envelope sender (the MAIL FROM address, also called the return-path).
  2. It queries DNS for the TXT record at example.com that begins with v=spf1.
  3. It evaluates the SPF record's mechanisms against the connecting server's IP address.
  4. It returns a result: pass, fail, softfail, neutral, or none.

SPF Record Format

An SPF record is a single TXT record published at the domain apex. It starts with the version tag v=spf1 followed by one or more mechanisms and a default qualifier:

v=spf1 ip4:192.0.2.0/24 include:_spf.google.com include:sendgrid.net -all

Common Mechanisms

  • ip4 / ip6 -- Authorizes a specific IP address or CIDR range.
  • include -- References another domain's SPF record. Used when third-party services (Google Workspace, SendGrid, Mailchimp) send on your behalf.
  • a -- Authorizes the IP addresses in the domain's A/AAAA records.
  • mx -- Authorizes the IP addresses of the domain's MX record hosts.
  • all -- Matches everything. Always used as the final mechanism with a qualifier.

Qualifiers

  • + (pass) -- Default. The IP is authorized.
  • - (fail) -- The IP is explicitly not authorized. Receivers should reject.
  • ~ (softfail) -- The IP is probably not authorized. Receivers should accept but flag.
  • ? (neutral) -- No assertion. Treated like no SPF record for that IP.

SPF Evaluation Results

Result Meaning
Pass Sender IP matches a mechanism. Message is authorized.
Fail Sender IP does not match, and the record ends with -all.
Softfail Sender IP does not match, and the record ends with ~all.
Neutral Record ends with ?all. No policy assertion.
None No SPF record exists for the domain.
PermError The SPF record is malformed (e.g., exceeds 10 DNS lookup limit).
TempError A transient DNS error prevented evaluation.

The 10-Lookup Limit

RFC 7208 limits SPF evaluation to 10 DNS lookups (including include, a, mx, redirect, and exists mechanisms). Exceeding this limit produces a PermError, which many receivers treat as a fail. Flattening SPF records (resolving includes to IP addresses) is a common workaround, though it requires maintenance when provider IPs change.

Checking Your SPF Record

Use our SPF check tool to validate your SPF record syntax, count DNS lookups, and verify that your authorized senders are correctly included. SPF alone does not prevent domain spoofing in the visible From header -- that requires alignment with DMARC.

Stay on top of your email infrastructure. Sign up for the InboxTooling newsletter for deliverability tips, tool updates, and best practices.

More glossary terms

DNS Ports Explained

Understand which network ports DNS uses, including port 53 for standard queries, port 443 for DNS over HTTPS, and port 853 for DNS over TLS.

DNS Record Types: A Complete Reference Guide

A technical reference for all major DNS record types including A, AAAA, MX, CNAME, TXT, NS, SOA, PTR, SRV, and CAA. Includes example values and use cases.

How Do IP Addresses Work?

Understand how IP addresses work, including IPv4 vs IPv6 formats, public vs private addresses, static vs dynamic assignment, NAT, and CIDR notation.

SMTP Ports Explained: 25, 465, 587, and 2525

Understand the four SMTP ports, when to use each one, the difference between STARTTLS and implicit TLS, and why ISPs block port 25.

What Is DKIM (DomainKeys Identified Mail)?

Learn how DKIM uses cryptographic signatures to authenticate email, including selector records, public/private key pairs, and the verification process per RFC 6376.

What Is DMARC?

Understand DMARC, how it builds on SPF and DKIM with alignment checks, policy options (none, quarantine, reject), and aggregate vs forensic reporting per RFC 7489.

What Is DNS (Domain Name System)?

Learn how the Domain Name System works, including recursive and iterative queries, root servers, caching, and TTL values. A technical overview referencing RFC 1035.

What Is Secure DNS (DoH and DoT)?

Learn about secure DNS protocols including DNS over HTTPS, DNS over TLS, and DNSSEC. Understand why standard DNS is insecure and how to protect your queries.

What Is a Domain Name?

Learn what a domain name is, how domains map to IP addresses via DNS, the difference between TLD types, and how subdomains, URLs, and hostnames relate.

What Is a Gateway IP Address?

Learn what a gateway IP address is, how default gateways route traffic between networks, and how to find your gateway address on any operating system.

What Is a Reverse Lookup?

Understand reverse lookups including reverse DNS (PTR records), reverse IP lookups, and reverse email lookups. Learn how each works, common use cases, and limitations.

What Is a Reverse Proxy?

Learn how reverse proxies work, the difference between forward and reverse proxies, and common use cases including load balancing, SSL termination, and caching.

What Is an Email Bounce?

Understand email bounces, the difference between hard and soft bounces, common SMTP error codes, and how bounces affect sender reputation.

What Is an Email Domain Name?

Learn what an email domain is, how the @domain.com part of email addresses works with MX records to route messages, and the difference between free and custom email domains.

What Is an SMTP Server?

Learn how SMTP servers work, the difference between MTA, MSA, and MDA, and how email is delivered hop by hop using the SMTP protocol defined in RFC 5321.

What Is an SSL Certificate?

Learn how SSL/TLS certificates encrypt internet traffic, how the chain of trust works, the difference between DV, OV, and EV certificates, and why TLS replaced SSL.