Table of Contents
Sender Policy Framework (SPF) is an email authentication standard that helps domain owners prevent spammers and phishers from sending unauthorized emails on their behalf. By publishing an SPF record in your DNS, you specify which mail servers are allowed to send emails using your domain.
Why SPF Matters #
- Reduces spoofing: Helps prevent forged “From” addresses
- Boosts deliverability: Authenticated messages are less likely to go to spam
- Strengthens brand trust: Proves to recipients and ISPs that your email is legitimate
- Works with DKIM and DMARC: SPF is part of a multi-layered email authentication system
How SPF Works #
- Publish an SPF record: Add a TXT record in your DNS zone listing authorized mail sources
- Incoming mail check: The recipient’s mail server looks up your SPF record when it receives an email from your domain
- Authorize or reject:
- Pass: IP matches → email accepted
- Fail/Softfail/Neutral: IP not listed → email may be rejected or marked suspicious
Anatomy of an SPF Record #
v=spf1 include:mailgun.org ip4:203.0.113.5 mx -all
| Tag | Purpose |
|---|---|
v=spf1 | Declares SPF version 1 |
include: | Includes SPF records from another domain (e.g., email providers) |
ip4: | Authorizes a specific IPv4 address |
mx | Authorizes any IPs listed in your domain’s MX records |
-all | Hard fail: disallows all others not explicitly listed |
Step-by-Step Setup #
- List all sending services: Mail servers, CRM, marketing tools, etc
- Draft your SPF record: Start with v=spf1, then add mechanisms: ip4, ip6, mx, include, etc
- Choose a fail policy:
- -all (hard fail) for strict enforcement
- ~all (soft fail) for testing/flexible delivery
- Publish in DNS:
- Host: @ (or your root domain)
- Type: TXT
- Value: Your complete SPF string
- Wait for propagation: DNS changes can take up to 48 hours
- Test your record:
- CLI: dig +short TXT yourdomain.com
- Online: MX Toolbox SPF Checker
Handling Third-Party Senders #
When using third-party services like CRMs or email platforms:
- Check their SPF documentation (e.g., include:sendgrid.net)
- Update your SPF record with the new include
- Keep total DNS lookups ≤ 10
Common Pitfalls #
- Too many DNS lookups: Limit total to 10
- Over-permissive includes: Avoid wildcards (e.g., include:*)
- Subdomain oversight: Use redirect= or publish specific SPF for subdomains
- Missing IPv6: Add ip6: if using IPv6-only servers
Best Practices #
- Minimize includes: Flatten where possible by replacing includes with IPs
- Use -all in production: Start with ~all during testing
- Pair with DMARC: Get visibility and protection using DMARC reporting
- Watch the 255-character limit: Split long records into multiple TXT entries
Example SPF Record #
Your company sends email using:
- Your own mail server: 198.51.100.23
- Google Workspace
- Amazon SES
Your SPF record should be:
v=spf1 ip4:198.51.100.23 include:_spf.google.com include:amazonses.com ~allBy properly configuring SPF, you help ensure your messages reach inboxes, not spam folders, and protect your brand from spoofing. For assistance, consult your DNS host or email service provider.
