SPF (Sender Policy Framework)
Authorize which servers can send email for your domain.
SPF allows you to specify which mail servers are authorized to send email on behalf of your domain. Receiving servers check SPF to verify the sending server is legitimate.
How SPF Works
- You publish an SPF record in your domain's DNS (TXT record)
- The record lists authorized sending IP addresses and domains
- When a server receives email from your domain, it looks up your SPF record
- It checks if the sending server's IP is authorized
- The result (pass/fail/softfail) influences delivery decisions
SPF Record Syntax
# Basic SPF record structure v=spf1 [mechanisms] [modifiers] [qualifier]all # Example: Allow Google Workspace and a custom server v=spf1 include:_spf.google.com ip4:203.0.113.50 -all # Breakdown: # v=spf1 - Version (required, must be first) # include: - Include another domain's SPF record # ip4: - Authorize specific IPv4 address/range # ip6: - Authorize specific IPv6 address/range # a - Authorize the domain's A record IPs # mx - Authorize the domain's MX record IPs # -all - Fail all other sources (strict) # ~all - Softfail all other sources (testing) # ?all - Neutral (not recommended)
SPF Qualifiers
| Qualifier | Meaning | Recommendation |
|---|---|---|
| -all | Hard fail - reject unauthorized senders | Recommended |
| ~all | Soft fail - mark as suspicious but accept | Testing only |
| ?all | Neutral - no assertion about unauthorized | Not recommended |
| +all | Pass - allow all senders | Never use |
Common SPF Includes
Here are the SPF include statements for popular email services:
| Service | SPF Include |
|---|---|
| Google Workspace | include:_spf.google.com |
| Microsoft 365 | include:spf.protection.outlook.com |
| Mailchimp | include:servers.mcsv.net |
| SendGrid | include:sendgrid.net |
| Mailgun | include:mailgun.org |
| Amazon SES | include:amazonses.com |
| Zendesk | include:mail.zendesk.com |
| Salesforce | include:_spf.salesforce.com |
| HubSpot | include:spf.hubspot.com |
| Freshdesk | include:email.freshdesk.com |
| Postmark | include:spf.mtasv.net |
| Intercom | include:mail.intercom.io |
10 DNS Lookup Limit
SPF has a limit of 10 DNS lookups. Each include:, a, mx, and redirect counts as a lookup. Exceeding this limit causes SPF to fail with a "PermError".
Avoiding the Lookup Limit
If you're hitting the 10 lookup limit, consider these solutions:
- Flatten your SPF record — Replace includes with explicit IP addresses
- Use SPF flattening services — Tools that automatically maintain flattened records
- Remove unused services — Audit and remove services you no longer use
- Use subdomains — Send from different subdomains for different services
SPF Limitations
SPF alone isn't enough for full email authentication:
- Only checks envelope sender — Not the "From" header that users see
- Breaks with forwarding — Forwarded emails fail SPF because the forwarding server isn't authorized
- No encryption — SPF doesn't protect message content
That's why SPF should always be used together with DKIM and DMARC.
Example SPF Records
# Simple: Google Workspace only
v=spf1 include:_spf.google.com -all
# Multiple services: Google + SendGrid + custom server
v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.50 -all
# Microsoft 365 with marketing tools
v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net include:spf.hubspot.com -all