SPF explained
SPF is the DNS record that says who may send mail for your domain. Here's the syntax, the soft-fail vs hard-fail choice, and the gotchas (forwarding, the 10-lookup limit) that trip people up.
What SPF is
SPF (Sender Policy Framework) is a single DNS TXT record that lists the IP
addresses and services authorized to send mail for your domain. When a server receives your
message, it checks the sending server against that list. If it is not authorized, SPF fails. It is the simplest
of the three authentication records, and the oldest, which is why it has the most rough edges.
The record
example.com. IN TXT "v=spf1 ip4:198.51.100.10 include:_spf.google.com include:mailgun.org ~all"Mechanisms
v=spf1 ; version (required, first token)
ip4:198.51.100.10 ; authorize a specific IPv4 address or range
a ; authorize the domain's own A record
mx ; authorize the domain's mail servers (MX)
include:_spf... ; import another domain's SPF (e.g. your ESP)
~all ; soft-fail everything else (mark, don't reject)
-all ; hard-fail everything else (reject)
You build the record from these tokens: name your own servers (ip4, a,
mx), include the SPF of every third-party service that sends for you (your email
provider, marketing tool, help desk), and end with an all mechanism that catches everything else.
~all vs -all
| Ending | Means | Effect on unlisted senders | Use when |
|---|---|---|---|
~all | Soft fail | Marked suspicious, usually still accepted | Rolling out, not yet sure all sources are listed |
-all | Hard fail | Rejected | Confident every legitimate sender is listed |
?all | Neutral | No opinion (avoid) | Effectively no protection |
The two gotchas
1. Forwarding breaks SPF. SPF checks whichever server is currently delivering the message, so a forwarding server (not in your record) fails the check. This is SPF’s built-in limitation, and the reason DKIM and DMARC exist.
2. The 10-lookup limit. SPF permits at most 10 DNS lookups per evaluation;
every include, a, and mx counts. Too many include: entries
(one per service is easy to accumulate) tips you over into a permerror that receivers treat as a
fail. Consolidate or flatten to stay under it. See the deliverability guide
for where SPF sits among the other inbox factors.
Treat the record as a living inventory of who sends as you. Every time you adopt a new service
that sends on your behalf, a marketing platform, a ticketing system, a transactional API, add its
include: and re-check the lookup count; every time you drop one, prune it, because a stale entry
both wastes a lookup and leaves an authorized sender you no longer control. Once you are confident the list is
complete and correct, move from ~all to -all so unlisted senders are rejected outright
rather than merely flagged.
FAQ
What is an SPF record?
A single DNS TXT record on your domain that lists which IP addresses and services are allowed to send mail using your domain. A receiving server compares the sending server against that list; if it is not authorized, SPF fails. It is the simplest of the three email-authentication records.
What's the difference between ~all and -all?
Both define what happens to senders not on your list. ~all is a soft fail: 'probably not us, mark it but still accept.' -all is a hard fail: 'definitely not us, reject.' Most senders use ~all until they are certain every legitimate source is listed, then move to -all for stronger protection. DMARC can enforce a real policy on top of either.
Why does SPF break when email is forwarded?
SPF checks the server that is currently delivering the message. When mail is forwarded, the forwarding server, which is not in your SPF record, becomes the sender, so SPF fails. This is SPF's fundamental limitation and exactly why DKIM (which survives forwarding) and DMARC (which can pass on DKIM instead) exist.
What is the SPF 10-lookup limit?
SPF allows at most 10 DNS lookups while evaluating a record (each include, a, and mx counts). Exceed it and SPF returns 'permerror', which most receivers treat as a fail. Stacking many include: entries (one per service) is the usual cause; flatten or consolidate them to stay under the limit.
Can I have more than one SPF record?
No. A domain must have exactly one SPF (v=spf1) TXT record. Two SPF records is a configuration error that causes a permerror. When you add a new sending service, merge its include: into your single existing record rather than publishing a second one.
Is SPF enough on its own?
No. SPF breaks on forwarding, says nothing about message integrity, and has no policy or reporting of its own. It is one leg of a tripod: pair it with DKIM (signing) and DMARC (policy + alignment + reports) for authentication that actually holds up.
Sender authentication grew up alongside the SMTP content KB Cafe documented from the start. This is the modern SPF reference: the record, the soft-fail vs hard-fail call, and the forwarding and lookup-limit traps that still catch experienced senders.