What Is SPF?
Sender Policy Framework (SPF) is a DNS-based email authentication mechanism. It lets you specify which IP addresses and servers are authorized to send email on behalf of your domain.
How SPF Works
- You publish a TXT record in DNS listing authorized senders
- Receiving servers check the sending IP against your SPF record
- Messages from unauthorized IPs may be rejected or flagged as spam
Basic SPF Record Syntax
v=spf1 ip4:198.48.63.240/28 a mx -allComponents:
v=spf1— version identifier (required)ip4:— authorize an IPv4 address or rangea— authorize the domain A record IPmx— authorize IPs of MX records-all— reject all other senders (hard fail)
Common SPF Directives
| Directive | Meaning |
|---|---|
include:_spf.google.com | Allow Google Workspace to send |
include:sendgrid.net | Allow SendGrid relay |
ip6:2001:db8::/32 | Authorize an IPv6 range |
~all | Soft fail (mark but deliver) |
-all | Hard fail (reject) |
Testing Your SPF Record
dig +short TXT example.com | grep spfUse online tools like MXToolbox SPF checker to validate syntax and lookup count. SPF allows a maximum of 10 DNS lookups — exceeding this causes a permanent error.
Best Practices
- Always use
-all(hard fail) once you have confirmed your authorized senders - Minimize
includestatements to stay under the 10-lookup limit - Use
ip4andip6for known server IPs to avoid unnecessary lookups - Combine SPF with DKIM and DMARC for complete email authentication